Tips, Tricks, Tools & Techniques

for Internet Business, Life, the Universe and Everything

RSS Feed



An Old WordPress Version Can Get You Banned In Google

20 February, 2008 (10:10) | Security, WordPress | By: Nick Dalton

Imagine if a customer searching for your one of your top keywords in Google, and instead of finding your blog was greeted with this:

Google: Warning this site may harm your computer

Over the past couple of weeks this is what has happened to many WordPress blog owners. Forums are filled with desperate and bewildered bloggers who don’t know what happened or how to fix the problem.

The root cause of these problems is a bug in a WordPress file called xmlrpc.php. This is not the first, nor the last, WordPress security issue. But in this case the bad guys are systematically exploiting the bug.

Automated scripts scan the Internet for vulnerable WordPress blogs. When they find one, a small snipped of HTML is added to an old blog post. This HTML snippet is an IFRAME that retrieves data from a server with the innocent looking name wp-stats-php.info. At first glance this may look like some server collecting WordPress stats. It isn’t. This web site, seemingly based in China, is part of the growing underground economy of badware. Their role in the ecosystem is to install IFRAMES on as many web sites as possible. They will then most likely sell their “iframe service” to another company that wants to install a small piece of bad software on as many computer as possible. Currently it looks like the payload they are distributing is a virus. But it could easily be changed to a trojan keylogger or a program that turns your computer into a node in a botnet. Pretty bad stuff; so Google is right in warning users from visiting hacked sites.

But what does that mean to you as a WordPress blogger?

With the millions of WordPress blogs out there, these criminals have found fertile ground for their exploits. Unless you have updated your WordPress blog to the latest version – 2.3.3 – you are exposed to this threat.

I know that I may sound like yet another security expert crying wolf again. In this case the threat is very real. Just ask one of the many bloggers who have been affected. In the very linked blogosphere it’s just a matter of time before the bad guys follow the links to your blog.

Here are some recent horror stories, should you need more convincing:

Even if the current outfit behind wp-stats-php.info is shutdown, there are others who are gearing up their operations.

What should you do?

  1. Backup your WordPress files and database
  2. Upgrade to WordPress 2.3.3
  3. Check your blog to make sure you haven’t already been infected

If you have done many customizations to your blog (theme and/or plugins) and you’re afraid something will break with the upgrade to 2.3.x, then at least install the latest version of the xmlrpc.php file. You can download it here and just FTP it over the existing file in your root WordPress directory.

More to come on this topic…

Comments

Comment from Tibi Puiu
Time: February 21, 2008, 11:01

Luckily I’ve managed to resolve the issue, but it did cause a lot of stress and undoubtedly hurt my rankings a great deal. Thank God it’s all over now :D . Good thing you’re warning people about the exploit, maybe you can raise some awareness and open some eyes, I didn’t pay much attention to updates and I paid the price. Will follow-up with a post about how to deal with a situation to that I myself and other possible thousands of innocent bloggers were subjected to.

Comment from Tom Brownsword, CISSP
Time: February 21, 2008, 11:49

Nick,

That’s a very good write-up, and thanks for using your blog to call attention to this. I’ve seen far too many compromised WordPress blogs that got that way simply because the owner didn’t update their software.

What you said is absolutely correct. It’s all automated hacking, and it doesn’t matteri if your blog gets one hit or a million hits every day — you are a target. So back up your blog and update.

Best regards,
Tom

Comment from Ryan Healy
Time: February 21, 2008, 12:58

I wonder if this is what happened to my friend last week? I’m definitely going to forward this post to him. Thanks for the heads-up, Nick.

Comment from Richard Palace
Time: February 22, 2008, 20:26

Thanks Nick Dalton. Now I know how the iframe code was added. You are right to advise people to upgrade wordpress to the latest version.

Pingback from Should You Upgrade to WordPress 2.5?
Time: March 10, 2008, 14:50

[...] on version 2.3.3. (If you’re on a version prior to 2.3.3 you should upgrade immediately due to security issues in all prior WordPress [...]

Comment from Josh
Time: March 11, 2008, 15:49

Great write up. One of my sites was hacked using the method you describe. I used your method to find the code and have cleaned my site and have re-submitted to Google. My fingers are crossed.

Comment from Gary
Time: March 13, 2008, 13:35

I just posted on my site today and got a SAV virus waring about a downloader called wp-stats[1].htm in my temp cache again I was searching to see if wordpress uses a file like this that sav may be accidently thinking it is bad. I understand that I need to upgrade, but how do I fix the posts that are infected? I only have a couple. I get tons of auto spam a week, but I mark them all as spam and they disappear. Oh and the first time I got the virus warning was reading reading these posts and marking them.

So will upgrading be enough. I don’t want people who actually may visit my site to get slapped. Thanxx!

Comment from Nick Dalton
Time: March 13, 2008, 13:43

Gary,

1. Go to Manage Posts in WordPress Admin.
2. Enter wp-stats in the Search terms box and click Filter.
3. You will now see a list of all the posts that contain this string.
4. Either delete these posts, or edit them.
5. If you use the HTML editor you should be able to see the iframe that calls wp-stats-php.info. Remove that snippet of HTML code.
6. Save the post and repeat until all posts have been cleaned.

Hope this helps,
Nick

Comment from Gary
Time: March 14, 2008, 08:47

This is criminal! The stupid code was hidden in MY posts!! crud!

Thanx Nick!

Pingback from Another Good Reason For Upgrading WordPress
Time: April 8, 2008, 08:48

[...] does something similar with their “This web site may harm your computer” warnings. Although Google only does it when a web site has been infected. Technorati assumes that old WP [...]

Comment from Sam Florist, JR
Time: June 23, 2008, 17:31

Wow.. Thats happening to me now :(

Write a comment