Trak.in is a popular Indian Business, Technology, Mobile & Startup blog featuring trending News, views and analytical take on Technology, Business, Finance, Telecom, Mobile, startups & Social Media Space

Security hole in wordpress? Need Help with trak.in urgently !

12

I am not sure, but there seems to be either some kind of serious security hole in wordpress or my wp installation seems to be a problem. Today again, there were spam posts that got posted on trak.in automatically (all related to iphone unlock ).

We have the latest version of wordpress (2.9.2), and yet the spammer / hacker has managed to publish posts on trak.in. I am really not sure what to do at this point of time.

All WordPress Experts out there – Need help to resolve this issue.

  1. apu says

    While I don’t have a technical suggestion – once you resolve the issue, does it also make sense to try and catch the hacker/file a legal complaint? Not sure how good our cyber-sleuths are, but perhaps they can help. This is a serious issue.

  2. Sumeet Sahu says

    Hi,

    I am not any expert of WP. But still, I would like to suggest that

    -check “Post via e-mail” setting of your wordpress.
    -Check for any back-door entry. I mean to say, you site was hacked long back and the hacker might have opened a back door which you are not able to see. For this you mostly have to go to the theme editor and see each and every line of code to find any suspicion.

    I hope you problem get solved soon. And please post once you know the solution, which can be a point or reference for others.

    Thanks and Regards
    Sumeet Sahu

  3. Abhay says

    Change your ftp passwords

    Change your mysql database passwords and update the same on the trak blog.

    Also scan your system for viruses which might have stolen it from your hardrive.

    Hope that helps…

    I had a similar problem on my website http://indiamicrofinance.com/

    Eventually the problem was caused by security flaw in my hosting company media temple and they posted a report and are still working to recitify it
    http://weblog.mediatemple.net/weblog/category/system-incidents/gs-investigating-potential-exploit/

  4. Akash says

    You need to check your wp user list. Is there any usernamed added with additional privileges. Also if you have a database backup can you can trust I would recommend starting with a clean OS install and a clean wordpress install.

    Please email me if you have any specific questions or need help with analyzing the web server logs.

    HTH

    1. Arun Prabhudesai says

      Akash,
      Thanks for your reply, that is a good suggestion. I will surely get back to you if I need any analysis of logs. Yes, and I have checked the complete user list.

  5. Chowdary says

    Hey Arun,

    Check this out : Did your WordPress site get hacked?

    The above link has very good info.

    BTW, like Vamsee mentioned above most of the times it’s xmlrpc.php

    Good Luck.

  6. niranjan says

    Isnt the xmlrpc is used for pingback? And I’ve seen this is misused only for posting spam comments but not entire posts. Akismet filters out most of such spam comments. The problem here is spam blogposts are posted automatically with new user accounts.

    1. Arun Prabhudesai says

      Niranjan,

      xmlrpc file is also used to publish posts, but requires proper authentication.

  7. Vamsee says

    Was surprised to see the iphone stuff in the rss feed again. You might want to delete the file xmlrpc.php – this is mainly used for posting through remote posting tools, like desktop publishing clients and phones. This is the origin of quite a few security holes in Wp. Deleting this file won’t affect the functioning of the site itself in any way.

    1. Arun Prabhudesai says

      Vamsee,
      All my editors as well as me, post thru Live writer to the blog, which requires xmlrpc.php file. Hence cannot delete it…

      But I think I will need to find a way around if xmlrpc is going to be an issue..

  8. Niranjan says

    Hi Arun,
    If I have all WP updates and don’t see anything else wrong, I would check the following:
    – With what user account is it being posted?
    – Is it being posted from any API, 3rd party web, desktop/mobile client?
    – Check the source IP, hostname.
    – Change passwords of all users
    – Change name of the default admin account
    – Check for unused user accounts
    – Check for user accounts permissions (does a normal visitor has access to post?)

    1. Arun Prabhudesai says

      Hi Niranjan,
      Thanks for the questions..

      -It is a completely new account automatically created and has subscriber privileges
      -I dont know how it was posted…
      – changed all passwords for all users and deleted that new account as wsell
      – ok, will change the default admin account
      – deleted all unused user accounts
      – no he does not.

      Thanks for all the inputs..

Leave A Reply

Your email address will not be published.