A friend yesterday running the latest version of wordpress had some hidden links injected in his blog. I know he is very technical and knows what he is doing so started making me a little paranoid. I started search for WordPress 2.3.3 hidden links injection and as you can see there is a ton of people claiming to be running the latest and greatest WordPress version yet getting hidden links inserted in there posts. People are also inserting iframes. Its actually pretty effective if you think about it… How would you notice hidden links in old posts?
First I want to say I have never seen any evidence of a fresh 2.3.3 install of WordPress.
The issue most likely comes from either a previous exploitable file still existing in your WordPress install directory or from someone who has already hijacked your admin cookie. You see there were some wicked exploits in earlier versions that allowed people to hijack your admin cookie which authenticates you (keep me logged in).
So what to do…. well if you have WordPress 2.3.3 and you are getting owned regularly here is what you need to do.
1) Make a new fresh install of WordPress and copy over your must have files… like themes, plugins (MAKE SURE THEY ARE UP TO DATE) , images, wp-config.php
2) change your password right away. In case someone has a old hash of your password.
If you have been following the proper upgrade instructions (minus changing the admin pass) on the WordPress you should have been doing this the whole time… ya I know I was not either.
If you are a nerd like me you might want to use SVN which is super dope and is a better and easier way to keep up to date if you know how to use SVN. Here are the instructions for that
Anyway security wise out of the box most web servers are not going to help you find out the root of the problem. Most of these are POST requests and unless you are specifically logging them of have mod_security installed …. there is no log anywhere of any POST request to your web server other then one happened.
Thanks to wordpress developer donncha ocaoimh for answering my twitter 😉
Hope this helps anyone who is having there wordpress 2.3.3 getting owned.
[…] removed all the old files so no one can take advantage of a security leak in the old files. Shoemoney.com is reporting that people claim to have hidden links (or even iframes) injected into their latest […]
[…] wordpress 2.3.3 hidden links injection exploit […]
[…] Source Bookmark It Hide Sites […]
[…] Did you know that wordpress 2.3.3 is vulnerable with hidden link exploitation? […]
Updating Multiple WordPress Installations…
Many affiliates run multiple WordPress blogs on the same server. It’s necessary to update your installations regularly as WordPress is an extremely vulnerable piece of software. Manual updating costs too much time, so here’s some Linux shel…
[…] WordPress 2.3.3 Hidden urls Injection Exploit and How To Not Let It Happen To You, ShoeMoney […]
[…] WordPress 2.3.3 Hidden Links Injection Exploit and How To Not Let It Happen To You, ShoeMoney […]
[…] ShoeMoney points out, not only is it a good idea to install fresh system files, but you should also change your system password. You never know who might already have hacked your blog. If they’ve got the password, it […]
[…] on 2 different servers. This is not the same thing that Shoemoney reported on a few days back (hidden link injection), and as of yet I have not seen any definitive answers as to what it is. All of my blogs were […]
[…] WordPress 2.3.3 Hidden Links Injection Exploit and How To Not Let It Happen To You, ShoeMoney […]
[…] if you want more information about the exploit, it’s becoming a plague on wordpress blogs. I continue to be amazed by the ingenuity of search […]
[…] other teachers like the old Chinese Monks in the Temple, Stefan Juhl, the Mad Hat, Mr. Shoe, Pamelund, and others have taught me other ways to view the same […]
[…] I found on Shomoney post: He suggest to upgrade your WordPress 2.3.3 to the latest […]
[…] 80.000 deutschsprachige Blogs mit einem WordPress Hidden Footer Links Exploit infiziert. […]
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language 😉
See you!
Your, Raiul Baztepo
Hi, thanks for the tutorial.
I have wp 2.6 installed, and got link injection in footer area. I’ve removed them but worry to see it again in the future. Any idea?
Thanks
[…] removed all the old files so no one can take advantage of a security leak in the old files. Shoemoney.com is reporting that people claim to have hidden links (or even iframes) injected into their latest […]
[…] I could explain this, but I think Shoemoney did a good enough job here. […]
[…] site with links is a sure way to make Google question your relationship. Sites will get hacked and exploited (here’s an interesting lotek way to keep an eye out for shenanigans on your site). But having […]
its really important!
thanks for sharing jeremy. You made some good points there. its easy to learn.
your website is great. a lot information can i get from here 🙂
TY a lot for penning this, it was unbelieveably informative and helped me a great deal
Is it alright to post some of this on my page if I post a link for this page?
With the whole thing that appears to be developing within this subject material, all your viewpoints tend to be relatively refreshing. However, I beg your pardon, because I can not give credence to your entire theory, all be it exhilarating none the less. It seems to me that your opinions are generally not totally justified and in simple fact you are yourself not really fully confident of the assertion. In any event I did appreciate reading through it.
Hi there to every one, it’s genuinely a pleasant for me to pay a quick visit this web page, it consists of useful Information.