WordPress ‘flaw’


In a way this post is mislabeled, because it’s not really WordPress and more a case of badly set permissions..

Anyway, to get to the point: I’ve been to several weblogs today based on WordPress which have been exploited because of dodgy set permissions. Unfortunately at the time I’ve had several websites open generally and can’t pinpoint who is infected.. anyway, people who’ve been “attacked” are those with certain files with permissions set to 666. A piece of JavaScript is inserted which when loaded, tries to save the file “upload.wmv” / “update.wmv” / “update2.wmv” to your computer. This is a trojan, and must be told in no uncertain terms to piss right off.

Anyway, if you’re using WordPress or ANY script that involves permissions set to 666, you need to get them changed to 644 now. Erm, I think it’s 644 anyway. Folders need to be set to 755. If you don’t know how to change file permissions, google it, because I’m still too lazy to write a tutorial on it.

ETA: If you’ve got exploited files, simply changing the permissions to 644 isn’t going to work. You’ll need to edit the file to remove the ‘bad’ JavaScript coding. It might just be easier to re-upload new versions of the exploited files if you don’t know what you’re doing or don’t want to risk killing any particular file.

Tell your friends.

Jem Turner jem@jemjabella.co.uk +44(0)7521056376

25 comments so far

  1. Rosemarie said:
    On November 28, 2005 at 5:53 pm

    arr matey.

  2. Katy said:
    On November 28, 2005 at 5:57 pm

    the 666 is so you can edit WP theme files via their admin panel. I don’t see much point in this anyway, but there you go… oh, and for htaccess stuff. that annoyed me cos it kept overwriting my hotlink protection, grr

  3. Jem said:
    On November 28, 2005 at 6:06 pm

    I know.. and the crazy thing is, had I still been using WordPress, 90% of my files would be set to 666. For once, my scripts are more secure!

  4. Gemma said:
    On November 28, 2005 at 6:22 pm

    I visited a site today and Firefox popped up a message asking to download that file. I had no idea what it was. Thanks for the heads-up.

  5. Jennifer said:
    On November 28, 2005 at 6:56 pm

    that explains why some of my themes been acting up, ive set them all to 666 for editing in wp,thanks for telling me!

  6. Taruto said:
    On November 28, 2005 at 7:06 pm

    Hmm. I guess I should be throwing out any scripts which ask to have permissions changed to 666/775/777 then? Gah! How will I ever find replacements for these?

  7. Meggan said:
    On November 28, 2005 at 7:11 pm

    At the risk of asking a stupid question, what files need to be changed? If I just CHMOD the entire WP folder, will it mess anything up, or is that what I’m supposed to do?

  8. Rosemarie said:
    On November 28, 2005 at 7:48 pm

    Meggan – What I did was change all the .php files with 666 inside the different theme folders. Just anything that’s 666 at the moment, basically. I think 755 isn’t too good either, actually (write/excecute are both not grand)

  9. Meggan said:
    On November 28, 2005 at 7:58 pm

    Thanks, Rosemarie and Jem! I went to change the permissions and they all appeared to be at 644, so I didn’t have to do anything anyway. But at least now I know. :D

  10. Jenny said:
    On November 28, 2005 at 8:11 pm

    my theme files are set to 766. but i will check everything anyway. thanks for the heads up!

  11. Amelie said:
    On November 28, 2005 at 9:44 pm

    Hmph, more script flaws. I’ve only recently done the 666 thing; I turned register_globals off and assumed everything was good. Oh well. *Goes off to change it all back again*

  12. Chrissy said:
    On November 28, 2005 at 10:18 pm

    Wait, what? I am slow. How do I do this. My head hurts.

  13. Tiddley said:
    On November 29, 2005 at 3:35 am

    I’ll warn all my web-making friends at once! *pause* Oh wait, you already know. Have a hug for no apparent reason because you rock. *hug*

  14. Jordie said:
    On November 29, 2005 at 4:58 am

    I just wanted to comment on how funny I think it is that gooogle.com – with the extra ‘o’ – redirects to the correctly spelt google.com.

  15. Jem said:
    On November 29, 2005 at 5:54 am

    Oops. I didn’t spot the extra ‘o’.

  16. Echo said:
    On November 29, 2005 at 7:10 am

    ~pouts if only that meant anything to me. I understand these things only for as long as I need to for any single project I am taking on and next time I need to know them I have to look them all up again… at least I know how to look them up now? That’s the one part that does not yet escape me ; )

  17. kachii said:
    On November 29, 2005 at 10:06 am

    You should use MT because WP are google cheats. *sob* offtopic I got offered a scholarship of £3,000pa from Brunel (http://brunel.ac.uk) :D /offtopic

  18. Rosemarie said:
    On November 29, 2005 at 10:33 am

    There’s a little bit of php in there too; Something like if such and such isn’t defined, then do this and… yeah. I can’t remember now :P

  19. Jenny said:
    On November 29, 2005 at 11:38 am

    I’m guessing this is also the little php ‘error_reporting’ thing too? I’m an idiot. Thanks for that. :)

  20. Jenn said:
    On November 29, 2005 at 9:22 pm

    Chrissy and I both got hit with it because of file permissions. *smacks head* Thank goodness it was relatively easy to edit out the nasty code!

  21. Jessica said:
    On November 30, 2005 at 9:56 am

    Wow I’ve been noticing that around, too. At least with FireFox it doesn’t auto download and asks me, first. And of COURSE I’ve always said ‘no’. I was kind of wondering what was up with that. I don’t THINK any of my files are vulnerable, though I do know I have some files CHMOD to 666 I don’t know which ones. And go figure, 666 = the number of satan. Or whatever. LOL

  22. Jen said:
    On November 30, 2005 at 3:45 pm

    Thanks for letting us know, Jem. I think I checked mine and nothing’s particularly wrong with them. P.S. I find it fascinating that going to Google works with both google.com and gooogle.com. Nifty discovery, thanks to your link.

  23. Brenda said:
    On December 1, 2005 at 12:19 am

    Jem! I accessed a blog today, and some media file was automatically uploaded to my site. Is this URL part of the trojan you were warning us about too? (Don’t click this!) media.licenseacquisition.org/playlist.php?id=2172B319

  24. Brenda said:
    On December 1, 2005 at 1:11 am

    Update on my previous comment: I discovered that it was indeed spyware after running that URL over a couple of search engines. I’ve done a system restore to remove the spyware. :)

  25. Kestrel said:
    On December 2, 2005 at 8:07 am

    So both my blogs were hit with this, argh! I ran Norton Antivirus on my computer have the wmv automatically loaded… I should be good right? Or do I need to do something else? Any info would be so much appreciated!