WordPress Worm attacking blogs

3
Saturday September 5th 2009 at 11:09 PM
WordPress

WordPress blogs are under attack after a old friend is back causing havoc. A worm is attacking WordPress blogs which are yet to be patched with the WordPress 2.8.4 release. This release, although contains minor changes is now probably one of the most important updates you will need to update to. This update fixes the security which this worm is using to exploit WordPress blogs, the worm is quite strong and therefore should not be taken lightly. Click for the full insight on the worm.

I don’t often post stuff like this but as a WordPress user I think it’s my duty to spread the word about this issue and get everyone informed even if I only alert a handful of people, thats still WordPress blogs saved.

Note: This problem is for people that self host WordPress on there own server. WordPress.com users are safe.

The Worm Itself

Like I started to mention the worm is using a security hole that is present in versions below 2.8 which alot of people are still on, therefore this makes this worm quite deadly. What the worm is doing is using this security hole and executing code using one of WordPress’ basic features, permalinks. The worm can execute the code through the permalinks and actually create a user account before setting administrative rights to itself and then hiding itself in the users tab by using simple javascript code. What makes this worm quite deadly is the fact it can set itself permissions right down to the database level so the worm may be able to run SQL queries in your database, which could cause havoc to your WordPress website. Different worms act differently, the most recent worms do indeed run SQL queries, other however do not.

Once the worm has executed it’s code through the permalinks it will then start to invade your WordPress website, posts and content by posting spam in your posts and in some cases deleting WordPress posts.

Protecting your WordPress Blog

Don’t leave this to chance and think the worm won’t get you, make sure your completly protected from the attack. First off make sure you update to WordPress 2.8.4 this will fix the security hole that the worm is using and you should be fine. But don’t stop there, if you don’t already make sure you have a fresh backup of your WordPress database, and you might want to go as far as backing up your WordPress theme as well, make sure these backups are stored locally and not on your server.

What to do if your infected by the worm

If you have already been infected by the worm it might already be too late, but all is not lost. If you have a backup of your WordPress database then you can overwrite your infected WordPress website with your backed up database to remove the worm from your wp_users table, then you should update to the latest version of WordPress which fixes the security hole that the worm is using (which is 2.8.4) keep monitoring your WordPress website for any strange content suddenly appearing. Look out for spam links, random spam content appearing on your posts, or even missing content. Because the worm gains administrative access it can do anything with your posts so be on the look out.

Recommended Steps

Here’s how you should go about protecting your WordPress blog in simple steps:

  1. If not already update to WordPress 2.8.4
  2. Backup your fresh database and store it locally on your computer and not on your server
  3. Backup your WordPress theme folder (Extra pre-caution)
  4. Keep a close eye on your WordPress website (Though updating to 2.8.4 should protect you fully)

If your already infected by the worm follow these steps:

  1. If you have a backup of your WordPress database replace it with the current version. It is likely that the worm has executed SQL queries and is inside your database.
  2. Replacing the database should remove the worm from your WordPress website. So now you can update your WordPress installation to 2.8.4. This can be done by doing the automatic update option within the tools section of the wp-admin. If this fails head over to WordPress.org and grab a copy of WordPress 2.8.4. Then click here and follow the guide to safely upgrade your WordPress website manually.
  3. This upgrade installation may request you to update the WordPress database make sure you allow this, this will fix the security hole.

This should protect you from the worm. Good luck!

Follow this information and you should be fine. Any problems, feel free to comment!

Share This:

Tags: