Wordpress 2.3.3 Hidden Links Injection Exploit and How To Not Let It Happen To You

A friend yesterday running the latest version of wordpress had some hidden links injected in his blog. I know he is very technical and knows what he is doing so started making me a little paranoid. I started search for Wordpress 2.3.3 hidden links injection and as you can see there is a ton of people claiming to be running the latest and greatest Wordpress version yet getting hidden links inserted in there posts. People are also inserting iframes. Its actually pretty effective if you think about it… How would you notice hidden links in old posts?

First I want to say I have never seen any evidence of a fresh 2.3.3 install of Wordpress.

The issue most likely comes from either a previous exploitable file still existing in your Wordpress install directory or from someone who has already hijacked your admin cookie. You see there were some wicked exploits in earlier versions that allowed people to hijack your admin cookie which authenticates you (keep me logged in).

So what to do…. well if you have Wordpress 2.3.3 and you are getting owned regularly here is what you need to do.

1) Make a new fresh install of Wordpress and copy over your must have files… like themes, plugins (MAKE SURE THEY ARE UP TO DATE) , images, wp-config.php

2) change your password right away. In case someone has a old hash of your password.

If you have been following the proper upgrade instructions (minus changing the admin pass) on the Wordpress you should have been doing this the whole time… ya I know I was not either.

If you are a nerd like me you might want to use SVN which is super dope and is a better and easier way to keep up to date if you know how to use SVN. Here are the instructions for that

Anyway security wise out of the box most web servers are not going to help you find out the root of the problem. Most of these are POST requests and unless you are specifically logging them of have mod_security installed …. there is no log anywhere of any POST request to your web server other then one happened.

Thanks to wordpress developer donncha ocaoimh for answering my twitter

Hope this helps anyone who is having there wordpress 2.3.3 getting owned.

Source

Test Center Guide to the Vista and XP Service Packs

San Francisco - As you read this, Microsoft is getting set to deliver the final bits of what has become an increasingly controversial patch cycle. Windows Vista Service Pack 1, which went “gold” a few weeks back, was finally made general available via Windows Update yesterday. Meanwhile, Windows XP Service Pack 3 is nearing its final release, with the RTM drop rumored to be making an appearance sometime this week.

[ Does Vista have what it takes to knock XP off the enterprise desktop? Grab a ringside seat for “Death match: Windows Vista versus XP” ]

The controversy stems from the relatively lukewarm reception of Vista in the enterprise. As I noted in my Enterprise Desktop blog, the vast majority of IT shops will be sticking with Windows XP for the foreseeable future, giving Service Pack 3 a higher profile than would normally have been afforded to a set of patches for a now “obsolete” OS. At the same time, Service Pack 1 for Vista has been drawn, measured, and found wanting, putting yet another nail in the coffin of the would-be replacement for XP.

As we wait for that next Service Pack to drop, let’s take a look at what you can expect from Windows XP Service Pack 3 and Windows Vista Service Pack 1.

Windows XP Service Pack 3
Windows XP Service Pack 3 has been the recipient of copious undue attention. After all, it’s just another compilation of patches and minor tweaks ??? for an obsolete OS, no less. However, with so many shops bypassing Vista, the release of Service Pack 3 has taken on new levels of importance: This may be the last Service Pack they see for their chosen platform before Windows 7 arrives in late 2009.

Fortunately, SP3 manages to deliver. For starters, there’s the usual roll-up of fixes. Currently, Windows XP SP2 users face a deluge of “high priority” patches when they first connect to Windows Update. Maintaining a current installation image ??? with all of the required patches “slipstreamed” into the mix ??? has become a job function in and of itself. Having SP3 as a starting point will reduce the support hassle and minimize the security exposure for newly minted (and, as yet, unpatched) systems.

Feature-wise, XP SP3 is short on headliners (view a table of highlights). There’s the revised network stack with better Black Hole router detection (lower overhead, on by default). Some new cryptographic modules allow developers to better secure their driver code. And you’ll find Network Access Protection (NAP) support so that Windows Server 2008 environments can lock out unpatched PCs or systems that otherwise are not up to standards. There’s nothing earth-shaking here, just solid fixes to basic limitations in the OS core.

Of course, one feature IT shops weren’t expecting ??? a 10 percent performance advantage over SP2 ??? managed to slip in as well. And while the performance boost measured by an independent testing entity (see my blog entry “XP Widening the Gap vs. Vista”) may be nothing more than the accumulated impact of all those post-SP2 Hotfix tweaks, it certainly doesn’t hurt and helps make the case for sticking with Windows XP that much stronger.

Verdict: Windows XP Service Pack 3 is a must-have update for IT shops seeking to extend the life of Windows XP.

Windows Vista Service Pack 1
Service Pack 1 for Windows Vista was a disappointment long before the final bits were frozen. Preliminary tests of a Release Candidate build ??? and later confirmed against the RTM code ??? showed that SP1 would do nothing to address the myriad performance issues that Vista’s early adopters warned us about. Those areas that it did address (file copy operations between local and/or network volumes), while important, were highly specific and had no impact on the general sluggishness and poor overall application throughput that frustrates users to this day.

Recognizing that SP1 is not, and never will be, a performance silver bullet, IT shops are now trying to take stock of what the Service Pack does offer. As with XP Service Pack 3, there are no real headliners. The kernel has been upgraded to the same revision level as Windows Server 2008 (including the built-in backdoor for anti-virus vendors). BitLocker now supports more drive types and configuration scenarios. There are the usual bug fixes and compatibility tweaks. Windows Update has many more drivers available for a better out-of-box experience. Battery life should improve for certain classes of notebook PCs.

Overall, Vista SP1 is an unimpressive release (view table of highlights). In fact, the whole SP1 experience seems a bit anticlimactic. After a year of hush-hush denials and a general refusal to discuss anything Service Pack related, Microsoft’s finished effort seems, well, unfinished. Redmond still has huge performance issues to resolve, even on state-of-the-art hardware. More mysteriously, Microsoft’s own server team has churned out a version of Windows ??? using the same kernel and core SP1 bits — that clobbers Vista across a range of benchmark tests.

Verdict: Deploy Windows Vista Service Pack 1 for the Hotfix consolidation value. You might also get a much-needed driver in the bargain; just don’t expect much in the way of performance improvements.