Webhosting Companies And Security Related Attacks

[Otto]

My only disagreement is that those who are being exploited - or who may potentially be exploited - have a right to know about what's going on, so that they can try to protect themselves.

There's no evidence that it's a WordPress exploit. So there's nothing to disclose on the matter.

I don't think it's necessary to make a post on the WordPress forums every time some random host that happens to run WordPress on some sites gets their systems hacked. WordPress runs a *lot* of the web. Odds are good that any random site being hacked will have a WordPress installation on it.

When you can show that it's a WordPress problem, fine. If not, there's no reason to get people worked up over nothing.

[Ipstenu]

It can be argued that leaving the sensitive info removed, but the general topic out there, will still raise noticability of a dangerous issue. For me, it's a question of who do I trust more: WordPress or the thousands of visitors to the forum. I'm playing a bit of devil's advocate. I can't see a way to get the info out there to the populace without simultaneously raising the likelihood of MORE hacks. Out-thinking evil doers isn't easy.

I'd rather see a trac ticket, personally, but that has it's own problems. Were I a naughty hacker, I'd sure as heck be trolling trac.

[chipbennett]

There's no evidence that it's a WordPress exploit. So there's nothing to disclose on the matter.

I don't think it's necessary to make a post on the WordPress forums every time some random host that happens to run WordPress on some sites gets their systems hacked. WordPress runs a *lot* of the web. Odds are good that any random site being hacked will have a WordPress installation on it.

When you can show that it's a WordPress problem, fine. If not, there's no reason to get people worked up over nothing.

My primary argument for leaving such a forum post, rather than deleting it, is that it can be modified by a moderator to indicate a) why it is/is not appropriate to post at this time, and b) where such reports should more properly be sent.

Deleting the post, rather than using it to get correct information out, may just lead to "whack-a-mole" as more people post the same, incorrect/inappropriate information in the forums.

Leave the post. Moderate it. Avoid similar/duplicate posts.

That's all I'm trying to say. Everything else (regarding the nature of the hack, the root cause, etc.) is speculation at this point.

[chipbennett]

It can be argued that leaving the sensitive info removed, but the general topic out there, will still raise noticability of a dangerous issue. For me, it's a question of who do I trust more: WordPress or the thousands of visitors to the forum. I'm playing a bit of devil's advocate. I can't see a way to get the info out there to the populace without simultaneously raising the likelihood of MORE hacks. Out-thinking evil doers isn't easy.

I'd rather see a trac ticket, personally, but that has it's own problems. Were I a naughty hacker, I'd sure as heck be trolling trac.

Again, as Otto has said in the past: there is no security through obscurity. Censoring the wp.org forums isn't going to stop in the least the information from spreading.

[Otto]

My primary argument for leaving such a forum post, rather than deleting it, is that it can be modified by a moderator to indicate a) why it is/is not appropriate to post at this time, and b) where such reports should more properly be sent.

Deleting the post, rather than using it to get correct information out, may just lead to "whack-a-mole" as more people post the same, incorrect/inappropriate information in the forums.

Leave the post. Moderate it. Avoid similar/duplicate posts.

That's all I'm trying to say. Everything else (regarding the nature of the hack, the root cause, etc.) is speculation at this point.

FTR, I didn't delete the post. I never even saw it. So I have no idea what was in it. I probably wouldn't have deleted it. If it got out of hand, I would likely close it instead.

That said, I still think that it is rather pointless to get all up in arms because of some host reporting that a lot of their sites got hacked. Hosts get hacked all the time. Not all of them are worthy of special attention.

And IMO, MT getting hacked is not worthy of special attention either, unless and until something special happens regarding it. I'm just sayin', is all.

When posts like that show up on the forums, very frequently they lead to dozens of people piling on with pointless bashing comments and then we end up having to close it down, and then playing whack-a-mole with people starting new threads and such. It's annoying. So generally we'd prefer not to start trouble unnecessarily.

This is still a host's problem. If there's an issue, they can notify their own customers.

[Jeffro]

I don't know if the WordPress.org forum has a policy in place or not to deal with these situations unless deleting the thread is standard operating procedure. But if I were moderator, I would have just removed the information tied to the alleged attack and then I would have responded with a canned response that if they believe there was a vulnerability with WordPress, to send the information to security at WordPress dot org.

I think all of the forum moderators operate on an individual basis with the WP-Forums mailing list used as a way to consult with each other on specific issues.

[frankfarmer]

Thanks to a tip from vinh, I found some more files from this attack today.

I ran

Code:

find -name '*.php' | xargs fgrep -i 'eval(base64_decode'

which turned up 3 files.

First, the original php file ("zfy.php", on my host) was back (although base64 encoded this time), and serving pages again. I unfortunately deleted it before thinking to check its creation date to see when it had been recreated. Secondly, two files I hadn't seen before surfaced:

Code:

-rw-r--r--  1 317K Jan 25 05:52 ./wp-admin/includes/wp-tomi.php
-rw-r--r--  1 317K Jan 25 05:52 ./wp-admin/css/wp-tawy.php

Vinh reported he'd found this file in

Code:

./wp-admin/images/wp_qupi.php

This leaves me a little concerned about the quality of MT's cleanup effort.

[Jeffro]

Wondering if Scott from Media Temple can update us on whether they have been able to find a cause of these spam attacks and if they have concluded whether WordPress is part of the problem or not.

[Ipstenu]

They've updated their post on it, as of Friday.

http://weblog.mediatemple.net/weblog...ntial-exploit/

As the root cause or source of the issue is still under heavy investigation, we will follow up by providing an Incident Review Post within 24-48 hours to talk about what happened, why it happened, and what we will take-away in light of this System Incident.

[Jeffro]

Good to know. Thanks for the link.