In a way this post is mislabeled, because it’s not really WordPress and more a case of badly set permissions..
Anyway, to get to the point: I’ve been to several weblogs today based on WordPress which have been exploited because of dodgy set permissions. Unfortunately at the time I’ve had several websites open generally and can’t pinpoint who is infected.. anyway, people who’ve been “attacked” are those with certain files with permissions set to 666. A piece of JavaScript is inserted which when loaded, tries to save the file “upload.wmv” / “update.wmv” / “update2.wmv” to your computer. This is a trojan, and must be told in no uncertain terms to piss right off.
Anyway, if you’re using WordPress or ANY script that involves permissions set to 666, you need to get them changed to 644 now. Erm, I think it’s 644 anyway. Folders need to be set to 755. If you don’t know how to change file permissions, google it, because I’m still too lazy to write a tutorial on it.
ETA: If you’ve got exploited files, simply changing the permissions to 644 isn’t going to work. You’ll need to edit the file to remove the ‘bad’ JavaScript coding. It might just be easier to re-upload new versions of the exploited files if you don’t know what you’re doing or don’t want to risk killing any particular file.
Tell your friends.
28 Nov at 5:53 pm
arr matey.
28 Nov at 5:57 pm
the 666 is so you can edit WP theme files via their admin panel. I don’t see much point in this anyway, but there you go… oh, and for htaccess stuff. that annoyed me cos it kept overwriting my hotlink protection, grr
28 Nov at 6:06 pm
I know.. and the crazy thing is, had I still been using WordPress, 90% of my files would be set to 666. For once, my scripts are more secure!
28 Nov at 6:22 pm
I visited a site today and Firefox popped up a message asking to download that file. I had no idea what it was. Thanks for the heads-up.
28 Nov at 6:56 pm
that explains why some of my themes been acting up, ive set them all to 666 for editing in wp,thanks for telling me!
28 Nov at 7:06 pm
Hmm. I guess I should be throwing out any scripts which ask to have permissions changed to 666/775/777 then? Gah! How will I ever find replacements for these?
28 Nov at 7:11 pm
At the risk of asking a stupid question, what files need to be changed? If I just CHMOD the entire WP folder, will it mess anything up, or is that what I’m supposed to do?
28 Nov at 7:48 pm
Meggan – What I did was change all the .php files with 666 inside the different theme folders. Just anything that’s 666 at the moment, basically. I think 755 isn’t too good either, actually (write/excecute are both not grand)
28 Nov at 7:58 pm
Thanks, Rosemarie and Jem! I went to change the permissions and they all appeared to be at 644, so I didn’t have to do anything anyway. But at least now I know. :D
28 Nov at 8:11 pm
my theme files are set to 766. but i will check everything anyway. thanks for the heads up!
28 Nov at 9:44 pm
Hmph, more script flaws. I’ve only recently done the 666 thing; I turned register_globals off and assumed everything was good. Oh well. *Goes off to change it all back again*
28 Nov at 10:18 pm
Wait, what? I am slow. How do I do this. My head hurts.
29 Nov at 3:35 am
I’ll warn all my web-making friends at once! *pause* Oh wait, you already know. Have a hug for no apparent reason because you rock. *hug*
29 Nov at 4:58 am
I just wanted to comment on how funny I think it is that gooogle.com – with the extra ‘o’ – redirects to the correctly spelt google.com.
29 Nov at 5:54 am
Oops. I didn’t spot the extra ‘o’.
29 Nov at 7:10 am
~pouts if only that meant anything to me. I understand these things only for as long as I need to for any single project I am taking on and next time I need to know them I have to look them all up again… at least I know how to look them up now? That’s the one part that does not yet escape me ; )
29 Nov at 10:06 am
You should use MT because WP are google cheats. *sob* offtopic I got offered a scholarship of £3,000pa from Brunel (http://brunel.ac.uk) :D /offtopic
29 Nov at 10:33 am
There’s a little bit of php in there too; Something like if such and such isn’t defined, then do this and… yeah. I can’t remember now :P
29 Nov at 11:38 am
I’m guessing this is also the little php ‘error_reporting’ thing too? I’m an idiot. Thanks for that. :)
29 Nov at 9:22 pm
Chrissy and I both got hit with it because of file permissions. *smacks head* Thank goodness it was relatively easy to edit out the nasty code!
30 Nov at 9:56 am
Wow I’ve been noticing that around, too. At least with FireFox it doesn’t auto download and asks me, first. And of COURSE I’ve always said ‘no’. I was kind of wondering what was up with that. I don’t THINK any of my files are vulnerable, though I do know I have some files CHMOD to 666 I don’t know which ones. And go figure, 666 = the number of satan. Or whatever. LOL
30 Nov at 3:45 pm
Thanks for letting us know, Jem. I think I checked mine and nothing’s particularly wrong with them. P.S. I find it fascinating that going to Google works with both google.com and gooogle.com. Nifty discovery, thanks to your link.
01 Dec at 12:19 am
Jem! I accessed a blog today, and some media file was automatically uploaded to my site. Is this URL part of the trojan you were warning us about too? (Don’t click this!) media.licenseacquisition.org/playlist.php?id=2172B319
01 Dec at 1:11 am
Update on my previous comment: I discovered that it was indeed spyware after running that URL over a couple of search engines. I’ve done a system restore to remove the spyware. :)
02 Dec at 8:07 am
So both my blogs were hit with this, argh! I ran Norton Antivirus on my computer have the wmv automatically loaded… I should be good right? Or do I need to do something else? Any info would be so much appreciated!