I woke up to this email from a self-proclaimed Anonymous Security Specialist.
From: Anonymous Security Specialist Friday – April 4, 2008 10:36 PM
To: Blogger admin
Subject: Your blog’s version is old and has been hacked. Update ASAP!
Attachments: Mime.822 (4265 bytes) [View] [Save As]
This email is not an April’s fools email and it has been sent to notify you that your blog’s version is old and needs to be updated ASAP as it was hacked.
While tracking some Viagra spammers I have come accross [sic] several links coming from your blog and, after testing it, it appears your blog is 2.1.* generation hence vulnerable to SQL injection blind-fishing attacks. Search Google to learn more. In a few words: spammers can take full control of your blog in a matter of minutes and deface it at will.
These attacks are as serious as they can get as the spammers have full access to your blog and add hidden HTML elements to mask their links.
You MUST update your blog to the latest official WordPress version and manually clean your last 5-10 posts of the parasite links which you will only see in HTML view.
Not doing so may attract severe search engine penalties as you are currently linking to sites with VERY bad reputation.
Hoping you will take required action,
A.S.S. (Anonymous Security Specialist)
PS: I got your email address from your Dashboard / Users Management Section. I have warned many during the past months regarding the vulnerable blogs, being a blogger myself, but it seems I haven’t warned everyone. Lateste [sic] WordPress is secure.
PPS: Your login name is admin and password hash is **************************.
The last fact really got my attention 🙂 The reality is that he or she was right, there are a few sites that are sadly behind in terms of versions. Now, I know this person has hacked one of my sites on Bluehost to actually get my information to contact me, and I kind of like the Robin Hoodesque nature of this whole thing, plus it is a much needed reminder of how vulnerable an out-of-date open source applications can be. So take the Anonymous Security Specialist’s advice and update all your long overdue upgrades.
But I have a question, did I fall for I bigger trap by going to the sites and updating as well as searching out the spam links (which were right where they said they would be!)? Is this the purest act of altruism, or a larger game? And these last questions may realize how ignorant I am when it comes to these things, which I freely acknowledge.
Update; As Bill says in the comments, and D’Arcy said as well, this was an act of altruisnm on the part of my unnamed security adviser, which makes me love the tubes that much more. We love you Anonymous Security Specialist! Thanks for being an internet superhero 🙂
I would definitely have your ISP look at your server logs to see if anything looks out of place —
But my guess is that you got lucky with this one, and that your site was surveyed by someone who knew what they were doing and had no bad intentions —
The only danger you’d have from upgrading would be if the WP downloads were themselves compromised — not likely at all, despite the fact that it happened last year: http://it.slashdot.org/article.pl?sid=07/03/03/0427211
RE: “how vulnerable an out-of-date open source applications” — an out of date app is vulnerable, whether it’s proprietary or Open Source — however, when another ginormous security hole appears in Windows, we think nothing of it, because it’s “normal.” Yet, when an open source app patches a vulnerability, it’s fodder for the FUD-sters looking to point out the insecurity of open source apps.
Glad to hear you upgraded. I don’t want the Reverend’s digital presence going down into the hellfires, brought there by the purveyors of pill-powered tumescence.
It’s nice to know people who know far more than me. And I think what you said about my focus on open source applications being vulnerable is important. I, of all people, would hate to be coming off as a pill when it comes to open source application vulnerability, so that is a much needed correction to my verbiage!
I can’t tell you how cool this anonymous security specialist seems to me, a much needed kick in the ass is always welcome, for as you suggest, the reverend must ride, always 🙂
If you don’t upgrade it’s not if but when you will be hacked. What the dude did is illegal (imagine if he broke into your office and latter emailed you to say your alarm system is faulty)… but I guess it is good that he got you to act.
You might want to check out this video to see how easy it is to “hack” wordpress (or any app) if you are not careful (the examples in video could have been avoided).
I think WP is secure in general it is the plugins that scare me. Often coded by newbies with little or no knowledge of info sec.
Good intro article on the topic of XSS to learn more:
Another on RSS injection…
Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems by: Bob Auger (Presented at Black Hat USA 2006):
As far as XSS goes, one thing that you should ensure is never to click on any link on the front end of a multi-user blog while logged in as admin. Our “support” person on UBC blogs is going to only have “subscriber” privileges. That way if someone does hack them, they can’t do something crazy like delete all the blogs. admin should only ever be logged in to administrate the back end of the blog and then quickly logged out again.
He paid me a visit as well, and sure enough i had my links full of spam.
I (hopefully) cleaned everything up and upgraded wordpress.
Mister Anonymous, my offer for sending you some beer money stands. Just name your poison 😉
@Scott: Wow, thanks for all the amazing info. This is great stuff, and it is about time the education started in earnest about the holes in WP, for every app has them.
@Andre: I’d love some more details on this issue. How does this XSS hack work? All this information is great, and sharing these issues of security are key for us.
@Another Victim: Robin Hood strikes again. I fully support your suggestion that we reward the A.S.S. somehow, although I imagine his line o work requires a certain amount of anonymity, but more power to him.