WordPress ‘flaw’

In a way this post is mislabeled, because it’s not really WordPress and more a case of badly set permissions..

Anyway, to get to the point: I’ve been to several weblogs today based on WordPress which have been exploited because of dodgy set permissions. Unfortunately at the time I’ve had several websites open generally and can’t pinpoint who is infected.. anyway, people who’ve been “attacked” are those with certain files with permissions set to 666. A piece of JavaScript is inserted which when loaded, tries to save the file “upload.wmv” / “update.wmv” / “update2.wmv” to your computer. This is a trojan, and must be told in no uncertain terms to piss right off.

Anyway, if you’re using WordPress or ANY script that involves permissions set to 666, you need to get them changed to 644 now. Erm, I think it’s 644 anyway. Folders need to be set to 755. If you don’t know how to change file permissions, google it, because I’m still too lazy to write a tutorial on it.

ETA: If you’ve got exploited files, simply changing the permissions to 644 isn’t going to work. You’ll need to edit the file to remove the ‘bad’ JavaScript coding. It might just be easier to re-upload new versions of the exploited files if you don’t know what you’re doing or don’t want to risk killing any particular file.

Tell your friends.

This entry was posted on Monday, November 28th, 2005 at 11:28 pm and is filed in Internet, Security.

25 Comments on “WordPress ‘flaw’”

  1. Rosemarie says:

    arr matey.

    Response posted: November 28th, 2005 at 5:53 pm
  2. Katy says:

    the 666 is so you can edit WP theme files via their admin panel. I don’t see much point in this anyway, but there you go… oh, and for htaccess stuff. that annoyed me cos it kept overwriting my hotlink protection, grr

    Response posted: November 28th, 2005 at 5:57 pm
  3. Jem says:

    I know.. and the crazy thing is, had I still been using WordPress, 90% of my files would be set to 666. For once, my scripts are more secure!

    Response posted: November 28th, 2005 at 6:06 pm
  4. Gemma says:

    I visited a site today and Firefox popped up a message asking to download that file. I had no idea what it was. Thanks for the heads-up.

    Response posted: November 28th, 2005 at 6:22 pm
  5. Jennifer says:

    that explains why some of my themes been acting up, ive set them all to 666 for editing in wp,thanks for telling me!

    Response posted: November 28th, 2005 at 6:56 pm
  6. Taruto says:

    Hmm. I guess I should be throwing out any scripts which ask to have permissions changed to 666/775/777 then? Gah! How will I ever find replacements for these?

    Response posted: November 28th, 2005 at 7:06 pm
  7. Meggan says:

    At the risk of asking a stupid question, what files need to be changed? If I just CHMOD the entire WP folder, will it mess anything up, or is that what I’m supposed to do?

    Response posted: November 28th, 2005 at 7:11 pm
  8. Rosemarie says:

    Meggan - What I did was change all the .php files with 666 inside the different theme folders. Just anything that’s 666 at the moment, basically. I think 755 isn’t too good either, actually (write/excecute are both not grand)

    Response posted: November 28th, 2005 at 7:48 pm
  9. Meggan says:

    Thanks, Rosemarie and Jem! I went to change the permissions and they all appeared to be at 644, so I didn’t have to do anything anyway. But at least now I know. :D

    Response posted: November 28th, 2005 at 7:58 pm
  10. Jenny says:

    my theme files are set to 766. but i will check everything anyway. thanks for the heads up!

    Response posted: November 28th, 2005 at 8:11 pm
  11. Amelie says:

    Hmph, more script flaws. I’ve only recently done the 666 thing; I turned register_globals off and assumed everything was good. Oh well. *Goes off to change it all back again*

    Response posted: November 28th, 2005 at 9:44 pm
  12. Chrissy says:

    Wait, what? I am slow. How do I do this. My head hurts.

    Response posted: November 28th, 2005 at 10:18 pm
  13. Tiddley says:

    I’ll warn all my web-making friends at once! *pause* Oh wait, you already know. Have a hug for no apparent reason because you rock. *hug*

    Response posted: November 29th, 2005 at 3:35 am
  14. Jordie says:

    I just wanted to comment on how funny I think it is that gooogle.com - with the extra ‘o’ - redirects to the correctly spelt google.com.

    Response posted: November 29th, 2005 at 4:58 am
  15. Jem says:

    Oops. I didn’t spot the extra ‘o’.

    Response posted: November 29th, 2005 at 5:54 am
  16. Echo says:

    ~pouts if only that meant anything to me. I understand these things only for as long as I need to for any single project I am taking on and next time I need to know them I have to look them all up again… at least I know how to look them up now? That’s the one part that does not yet escape me ; )

    Response posted: November 29th, 2005 at 7:10 am
  17. kachii says:

    You should use MT because WP are google cheats. *sob* offtopic I got offered a scholarship of £3,000pa from Brunel (http://brunel.ac.uk) :D /offtopic

    Response posted: November 29th, 2005 at 10:06 am
  18. Rosemarie says:

    There’s a little bit of php in there too; Something like if such and such isn’t defined, then do this and… yeah. I can’t remember now :P

    Response posted: November 29th, 2005 at 10:33 am
  19. Jenny says:

    I’m guessing this is also the little php ‘error_reporting’ thing too? I’m an idiot. Thanks for that. :)

    Response posted: November 29th, 2005 at 11:38 am
  20. Jenn says:

    Chrissy and I both got hit with it because of file permissions. *smacks head* Thank goodness it was relatively easy to edit out the nasty code!

    Response posted: November 29th, 2005 at 9:22 pm
  21. Jessica says:

    Wow I’ve been noticing that around, too. At least with FireFox it doesn’t auto download and asks me, first. And of COURSE I’ve always said ‘no’. I was kind of wondering what was up with that. I don’t THINK any of my files are vulnerable, though I do know I have some files CHMOD to 666 I don’t know which ones. And go figure, 666 = the number of satan. Or whatever. LOL

    Response posted: November 30th, 2005 at 9:56 am
  22. Jen says:

    Thanks for letting us know, Jem. I think I checked mine and nothing’s particularly wrong with them. P.S. I find it fascinating that going to Google works with both google.com and gooogle.com. Nifty discovery, thanks to your link.

    Response posted: November 30th, 2005 at 3:45 pm
  23. Brenda says:

    Jem! I accessed a blog today, and some media file was automatically uploaded to my site. Is this URL part of the trojan you were warning us about too? (Don’t click this!) media.licenseacquisition.org/playlist.php?id=2172B319

    Response posted: December 1st, 2005 at 12:19 am
  24. Brenda says:

    Update on my previous comment: I discovered that it was indeed spyware after running that URL over a couple of search engines. I’ve done a system restore to remove the spyware. :)

    Response posted: December 1st, 2005 at 1:11 am
  25. Kestrel says:

    So both my blogs were hit with this, argh! I ran Norton Antivirus on my computer have the wmv automatically loaded… I should be good right? Or do I need to do something else? Any info would be so much appreciated!

    Response posted: December 2nd, 2005 at 8:07 am

Leave a Reply

I'm not interested in viagra or penis enhancers, first-time commenters are moderated and anonymous comments are deleted. Don't waste my time, or yours.