LinkBack URL
About LinkBacksOur blog was hacked, and it is not hosted on MediaTemple:
http://blog.wpquestions.com/
It is hosted on a dedicated server on Hostway. I think this is a WordPress flaw, not a flaw with MediaTemple.
Hello World
Our blog was hacked, and it is not hosted on MediaTemple:
http://blog.wpquestions.com/
It is hosted on a dedicated server on Hostway. I think this is a WordPress flaw, not a flaw with MediaTemple.
Hello World
Andrea, the sysadmin who watches over our server tends to do smart things. For instance, he does not allow the use of FTP on the server, but instead insists on the use of SFTP for everything. And no one is ever allowed root access.Originally Posted by andrea_r
It is possible I set the permissions on the upload file in the wrong way, but until we know more about the attack, it is hard to know what the weakness was.
I am having some doubts about WordPress right now. It is in the same situation as Windows - so popular that it becomes an inviting target for hackers. I suspect less popular blog software would be targeted for less attacks.
Hello World
Jake -- the attack you were hit with -- if this google query is representative -- doesn't appear to be similar to the one I reported here.
It looks like the attack you suffered involved having your WP posts edited. The attack I was hit by didn't actually alter the output of wordpress at all -- it was simply a stand-alone script that basically creates a bunch of non-wordpress google results hosted on your domain.
However, it is conceivable that the same vulnerability enabled both attacks, if only because I have no idea what the vulnerability itself was.
WordPress Legend
Now, why should this wp.org forum post have been deleted? Did you get any feedback?
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
WordPress Rockstar
Because if it IS a security issue with WP, you're supposed to email it in (security@wordpress.org), not post publicly all over the place, potentially causing widespread panic and more hacks.why should this wp.org forum post have been deleted
Hello World
Well, as much as I appreciate the sentiment in that it seems like an ostrich approach; The info about the security flaws spread like wildfire, you don't even have to Google them to find them... It won't go away just because you can't see it and stopping/censoring information only leads to speculation that you have something to hide...
Hello World
Keeping information like this under wraps allows attacks to continue. And I don't know about you, but when something like this happens, I want to know ASAP so I can clean the infection up myself.
MT seems to agree, because they've announced the issue on their blog. This attack has been going on for months, and has hit hundreds of WP installations.
I gotta say, I've been thoroughly impressed by MT's response to this issue.
On The Rocks
Your thinking on this issue is misguided. If the exploit vector is known, then it is best not released publicly until there is a viable patch for it. Putting information out there before there's a publicly available fix helps nobody.
That's just saying that an exploit exists, not saying what the exploit is. And actually, from reading that, it appears that they don't know what the actual attack vector is yet.
You do have something to hide. The attack itself should be hidden until there's a fix. Every security professional in the world agrees with this.
When a black hat comes up with a new exploit, usually they exploit it, not tell the world about it. Telling the world about it cuts in on their territory as well as making it more likely that a patch will be created by a white hat.
But, if a white hat finds an exploit that is being actively exploited by some single black hat like this, then the worst thing he can do is to tell the world, because he's also telling all the black hats, who will now rush to exploit it as fast as possible, before a patch gets put out for it. Instead, he should tell people privately and get a patch developed. Public release of an exploit only makes sense once the patch exists and is being spread.
Last edited by Otto; 03-03-2010 at 01:58 PM.
WordPress Rockstar
Like Otto says, until there's more information on actually stopping this flaw and being able to fix it, the worst thing to do is to run around telling everyone.
Which is exactly the point I was making above.
WordPress Legend
I can understand that, but why delete the thread?
Wouldn't the better response be to remove the detailed information, with an explanation that the vulnerability is being addressed, and a request to send any further details to security@wordpress.org rather than posting in the forum?
That way, others who try to do the same thing will at least see that it has been reported, and will have an explanation regarding why it is the inappropriate venue as well as information about the correct means to report?
Just deleting the thread provides none of these benefits. That was really my only point.
(And, as others have said: the information is out there. It does absolutely no good to censor the wordpress.org forums regarding the details.)
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
Posting Permissions
Reply With Quote