• Security hole in wordpress? Need Help with trak.in urgently !

    by Arun Prabhudesai on March 31, 2010 |

    12 comments

    I am not sure, but there seems to be either some kind of serious security hole in wordpress or my wp installation seems to be a problem. Today again, there were spam posts that got posted on trak.in automatically (all related to iphone unlock ).

    We have the latest version of wordpress (2.9.2), and yet the spammer / hacker has managed to publish posts on trak.in. I am really not sure what to do at this point of time.

    All WordPress Experts out there – Need help to resolve this issue.

    • Related Posts

    Author

    Arun Prabhudesai is founder / chief editor at trak.in. He jumped the Entrepreneurship bandwagon in early 2008 after a long 13 year stint in I.T Industry. You can follow him on twitter @trakin and Facebook. Arun’s Google+ Profile
    Arun Prabhudesai
    View all posts by Arun Prabhudesai
    Aruns website

    If you enjoyed this article, join 16,702 others and get free email updates!

    Tags on » Security hole in wordpress? Need Help with trak.in urgently !

    Tagged as: , , , , , , , , ,

    Niranjan March 31, 2010 at 9:15 am

    Hi Arun,
    If I have all WP updates and don’t see anything else wrong, I would check the following:
    - With what user account is it being posted?
    - Is it being posted from any API, 3rd party web, desktop/mobile client?
    - Check the source IP, hostname.
    - Change passwords of all users
    - Change name of the default admin account
    - Check for unused user accounts
    - Check for user accounts permissions (does a normal visitor has access to post?)

    Reply

    Arun Prabhudesai March 31, 2010 at 9:23 am

    Hi Niranjan,
    Thanks for the questions..

    -It is a completely new account automatically created and has subscriber privileges
    -I dont know how it was posted…
    - changed all passwords for all users and deleted that new account as wsell
    - ok, will change the default admin account
    - deleted all unused user accounts
    - no he does not.

    Thanks for all the inputs..

    Reply

    Vamsee March 31, 2010 at 9:57 am

    Was surprised to see the iphone stuff in the rss feed again. You might want to delete the file xmlrpc.php – this is mainly used for posting through remote posting tools, like desktop publishing clients and phones. This is the origin of quite a few security holes in Wp. Deleting this file won’t affect the functioning of the site itself in any way.

    Reply

    Arun Prabhudesai March 31, 2010 at 10:35 am

    Vamsee,
    All my editors as well as me, post thru Live writer to the blog, which requires xmlrpc.php file. Hence cannot delete it…

    But I think I will need to find a way around if xmlrpc is going to be an issue..

    Reply

    niranjan March 31, 2010 at 10:15 am

    Isnt the xmlrpc is used for pingback? And I’ve seen this is misused only for posting spam comments but not entire posts. Akismet filters out most of such spam comments. The problem here is spam blogposts are posted automatically with new user accounts.

    Reply

    Arun Prabhudesai March 31, 2010 at 10:36 am

    Niranjan,

    xmlrpc file is also used to publish posts, but requires proper authentication.

    Reply

    Chowdary March 31, 2010 at 10:33 am

    Hey Arun,

    Check this out : Did your WordPress site get hacked?

    The above link has very good info.

    BTW, like Vamsee mentioned above most of the times it’s xmlrpc.php

    Good Luck.

    Reply

    Akash March 31, 2010 at 11:03 am

    You need to check your wp user list. Is there any usernamed added with additional privileges. Also if you have a database backup can you can trust I would recommend starting with a clean OS install and a clean wordpress install.

    Please email me if you have any specific questions or need help with analyzing the web server logs.

    HTH

    Reply

    Arun Prabhudesai March 31, 2010 at 11:07 am

    Akash,
    Thanks for your reply, that is a good suggestion. I will surely get back to you if I need any analysis of logs. Yes, and I have checked the complete user list.

    Reply

    Abhay March 31, 2010 at 11:05 am

    Change your ftp passwords

    Change your mysql database passwords and update the same on the trak blog.

    Also scan your system for viruses which might have stolen it from your hardrive.

    Hope that helps…

    I had a similar problem on my website http://indiamicrofinance.com/

    Eventually the problem was caused by security flaw in my hosting company media temple and they posted a report and are still working to recitify it
    http://weblog.mediatemple.net/weblog/category/system-incidents/gs-investigating-potential-exploit/

    Reply

    Sumeet Sahu March 31, 2010 at 11:25 am

    Hi,

    I am not any expert of WP. But still, I would like to suggest that

    -check “Post via e-mail” setting of your wordpress.
    -Check for any back-door entry. I mean to say, you site was hacked long back and the hacker might have opened a back door which you are not able to see. For this you mostly have to go to the theme editor and see each and every line of code to find any suspicion.

    I hope you problem get solved soon. And please post once you know the solution, which can be a point or reference for others.

    Thanks and Regards
    Sumeet Sahu

    Reply

    apu March 31, 2010 at 11:40 am

    While I don’t have a technical suggestion – once you resolve the issue, does it also make sense to try and catch the hacker/file a legal complaint? Not sure how good our cyber-sleuths are, but perhaps they can help. This is a serious issue.

    Reply

    Leave a Comment

    who's online