Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress.org Warns of Active Worm Hacking Blogs

Posted by timothy on from the in-this-case-the-worms-are-actually-human-beings dept.

Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."

10 of 103 comments (clear)

  1. "Clever?" by Solra+Bizna · · Score: 4, Insightful

    There have been widespread worms that did this sort of thing before (phpBB comes to mind). Does this one do anything novel that makes it deserve the adjective "clever?"

    -:sigma.SB

    --
    WARN
    THERE IS ANOTHER SYSTEM
  2. Hey Wordpress... by pathological+liar · · Score: 4, Insightful

    Maybe you should stop putting the Wordpress version in meta tags on the page? Or at least make it opt(-in)ional?

    1. Re:Hey Wordpress... by zn0k · · Score: 3, Informative

      As outlined in TFA (yes, I know, I know) that's snake oil. You can run response tests to determine a version.

    2. Re:Hey Wordpress... by StarHeart · · Score: 5, Insightful

      I wouldn't say it is snake oil. Putting versions in a page allows you to Google for it. Which makes the attack a lot easier. It also allows the attacker to do reconnaissance a lot less detectably a hold of time, and then spring it on everyone at once.

      --
      Havoc Penington, the bane of my Linux desktop.
  3. the problem with one-click upgrades by Anonymous Coward · · Score: 4, Insightful

    ...newer versions offer fast and simple one-click upgrades

    If wordpress.org is hacked, again, their one-click upgrade feature means instant ownage for all Wordpress blogs everywhere.

    1. Re:the problem with one-click upgrades by jesser · · Score: 3, Insightful

      That problem isn't specific to 1-click updates. It exists equally with 0-click updates (like Firefox's minor updates) and 50-click updates (like WordPress used to have).

      You can improve the security of updates by using multiple layers of software protection (e.g. https AND code-signing). You can't improve security by increasing human involvement in the update process and then blaming users who update while the site is hacked. Increasing human involvement just makes it slower and limits the kinds of software protection you can use.

      --
      The shareholder is always right.
  4. aghhhh!!! by stokessd · · Score: 3, Funny

    Now even my own blog says that I need to enlarge my Penis!

  5. Re:Why people don't update by phoebe · · Score: 4, Informative

    There is also a interesting point regarding software repository support. I have a server running Ubuntu 8.04 LTS Server which is supposed to be supported till April 2011, however Wordpress is in the Universe repository and not updated since November 2008 and is vulnerable to a few attacks that delete content.

    If these packages are not going to be updated should there not be at least a warning, or method to bar such packages from being installed after security issues have been raised?

    Wordpress 2.3.3 in 8.04 LTS Universe repository.

  6. Re:Why people don't update by choongiri · · Score: 4, Informative

    *sigh* I don't think you understand how package management and security fixes in debian / ubuntu works. New releases of software almost invariably introduce new features, as well as bug fixes. For that reason, important fixes for security issues are backported, and the version number stays the same. (Introducing new features to a LTS / stable release wouldn't be acceptible.)

    Now, what you said is technically true - if it's not being actively maintained for security fixes it *should* be removed - but the fact that Ubuntu's universe package of wordpress is still at 2.3.3 doesn't in and of itself mean that it hasn't been patched with the latest security fixes.

  7. Re:Why people don't update by palegray.net · · Score: 4, Informative

    I've verified that the OP's assessment of the situation is valid with respect to WordPress (a fresh install from the repos exposes unpatched vulnerabilities long after patches are released to correct the situation).

    I understand the Debian/Ubuntu package management and security release system quite well; I happen to work or a certain "Large Virtual Server Company" and I've been using Debian almost exclusively on my systems for almost ten years.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.