Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress.org Warns of Active Worm Hacking Blogs

Posted by timothy on from the in-this-case-the-worms-are-actually-human-beings dept.

Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."

16 of 103 comments (clear)

  1. "Clever?" by Solra+Bizna · · Score: 4, Insightful

    There have been widespread worms that did this sort of thing before (phpBB comes to mind). Does this one do anything novel that makes it deserve the adjective "clever?"

    -:sigma.SB

    --
    WARN
    THERE IS ANOTHER SYSTEM
  2. Hey Wordpress... by pathological+liar · · Score: 4, Insightful

    Maybe you should stop putting the Wordpress version in meta tags on the page? Or at least make it opt(-in)ional?

    1. Re:Hey Wordpress... by zn0k · · Score: 3, Informative

      As outlined in TFA (yes, I know, I know) that's snake oil. You can run response tests to determine a version.

    2. Re:Hey Wordpress... by StarHeart · · Score: 5, Insightful

      I wouldn't say it is snake oil. Putting versions in a page allows you to Google for it. Which makes the attack a lot easier. It also allows the attacker to do reconnaissance a lot less detectably a hold of time, and then spring it on everyone at once.

      --
      Havoc Penington, the bane of my Linux desktop.
    3. Re:Hey Wordpress... by Anonymous Coward · · Score: 2, Interesting

      The idea isn't to hide the fact that you're using Wordpress - it's to hide the fact that you may very well be running an exploitable version of Wordpress.

  3. the problem with one-click upgrades by Anonymous Coward · · Score: 4, Insightful

    ...newer versions offer fast and simple one-click upgrades

    If wordpress.org is hacked, again, their one-click upgrade feature means instant ownage for all Wordpress blogs everywhere.

    1. Re:the problem with one-click upgrades by jesser · · Score: 3, Insightful

      That problem isn't specific to 1-click updates. It exists equally with 0-click updates (like Firefox's minor updates) and 50-click updates (like WordPress used to have).

      You can improve the security of updates by using multiple layers of software protection (e.g. https AND code-signing). You can't improve security by increasing human involvement in the update process and then blaming users who update while the site is hacked. Increasing human involvement just makes it slower and limits the kinds of software protection you can use.

      --
      The shareholder is always right.
  4. aghhhh!!! by stokessd · · Score: 3, Funny

    Now even my own blog says that I need to enlarge my Penis!

    1. Re:aghhhh!!! by reboot246 · · Score: 2, Informative

      And isn't it about time you took the hint? :)

  5. Why people don't update by Anonymous Coward · · Score: 2, Insightful

    The reason most siteowners are slow or never update is because it's a huge pain in the butt.

    This applies to almost all CMS's, forums, and similar software.

    While a one-click solution sounds nice, the real problem is that almost any large board has a number of plug-ins and modifications to get it where it needs to be.

    Once those mods/plugins are installed, the one-click updates no longer work.

    SEO URL's?
    Custom themes?
    Anti-bot measures?

    All of these things can completely render an "easy update" useless.

    The people who write this software need to find a way to keep the core code separated from plugins for updates.

    1. Re:Why people don't update by Anonymous Coward · · Score: 2, Interesting

      The WordPress "one click update" is annoying, too. Instead of fetching the package it needs from a URL, unpacking it in a temporary directory, and copying the files it needs locally, it requires an FTP login and password.

    2. Re:Why people don't update by phoebe · · Score: 4, Informative

      There is also a interesting point regarding software repository support. I have a server running Ubuntu 8.04 LTS Server which is supposed to be supported till April 2011, however Wordpress is in the Universe repository and not updated since November 2008 and is vulnerable to a few attacks that delete content.

      If these packages are not going to be updated should there not be at least a warning, or method to bar such packages from being installed after security issues have been raised?

      Wordpress 2.3.3 in 8.04 LTS Universe repository.

    3. Re:Why people don't update by choongiri · · Score: 4, Informative

      *sigh* I don't think you understand how package management and security fixes in debian / ubuntu works. New releases of software almost invariably introduce new features, as well as bug fixes. For that reason, important fixes for security issues are backported, and the version number stays the same. (Introducing new features to a LTS / stable release wouldn't be acceptible.)

      Now, what you said is technically true - if it's not being actively maintained for security fixes it *should* be removed - but the fact that Ubuntu's universe package of wordpress is still at 2.3.3 doesn't in and of itself mean that it hasn't been patched with the latest security fixes.

    4. Re:Why people don't update by palegray.net · · Score: 4, Informative

      I've verified that the OP's assessment of the situation is valid with respect to WordPress (a fresh install from the repos exposes unpatched vulnerabilities long after patches are released to correct the situation).

      I understand the Debian/Ubuntu package management and security release system quite well; I happen to work or a certain "Large Virtual Server Company" and I've been using Debian almost exclusively on my systems for almost ten years.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  6. Thats why I use www.SimpleScripts.com by Patheos · · Score: 2, Informative

    I personally use www.SimpleScripts.com for this exact reason. I use a ton of open source software for my websites and it is hard to keep track of all the updates made to them. SimpleScripts emails me every time an update comes out and it provides me a one click upgrade to the latest version for Wordpress, phpBB and Drupal which are the 3 systems I use the most.

  7. Re:maybe if they used their release notification l by Zancarius · · Score: 2, Informative

    What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

    The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check their site.

    --
    He who has no .plan has small finger. ~ Confucius on UNIX