WordPress cracked, considered armed and dangerous
March 5, 2007 6:44 PM   Subscribe

Upgraded your install of WordPress to 2.1.1 in the last few days? You'll want to upgrade again to 2.1.2 real quick-like. Seems somebody gained access to the server hosting the download file, added some bad code, and now your barn doors are wide open.
posted by 40 Watt (24 comments total) 2 users marked this as a favorite
 
Fortunately, I never bothered to upgrade, and so am still chugging along happily with 2.1.0.
posted by Faint of Butt at 6:51 PM on March 5, 2007


Is this something I'd need a TV to understand?
posted by mazola at 6:56 PM on March 5, 2007


"Is this something I'd need a TV to understand?"

No, a Gutenberg bible.
posted by mr_crash_davis at 7:00 PM on March 5, 2007


Zowie. This is why (independently hosted) MD5 checksums were invented.
posted by sweet mister at 7:07 PM on March 5, 2007


I have been putting off the upgrade to 2.1 on my blog for a while now - I have too many plugins to update before I can make the switch.

I'm glad I don't have to deal with this additional hassle; but I have to wonder if this the start of a trend - hackers trying to add backdoors to popular open source software.
posted by your mildly obsessive average geek at 7:08 PM on March 5, 2007


This is another one of those signs of much, much worse to come.
posted by fenriq at 7:09 PM on March 5, 2007


I blame anil dash.
posted by justgary at 7:31 PM on March 5, 2007 [5 favorites]


Yeah, that's kind of scary.

I've been thinking about switching to Wordpress for awhile now for a group blog I'm in charge of. The plugins are cool, and I've seen some really nice WP sites.

But all of the pre-made templates are too crowded and gross for my taste. Are there any good template resources I should check out?
posted by roll truck roll at 7:32 PM on March 5, 2007


This is what PGP-signed releases and self-verifying source code control systems are for. (There was an incident a few years back when someone tried to put a backdoor into the Linux kernel after breaking into a machine hosting a repository — it was caught before it actually went anywhere, though.)
posted by hattifattener at 7:35 PM on March 5, 2007


What's the chance that they actually wipe their compromised server like they're supposed to?
posted by smackfu at 7:51 PM on March 5, 2007


It's worth noting that the file download itself was compromised, not WordPress's source code repository. I work with Drupal and reflexively check files out of CVS rather than downloading archives. It's a lot harder to fake a commit log...
posted by verb at 7:51 PM on March 5, 2007


Zowie. This is why (independently hosted) MD5 checksums were invented.

Well, in this case, wouldn't it pass the md5? Assuming the hacker got into a user system.

In the Linux case, it wasn't caught by an md5 sum, but by a developer noticing a commit in his name that he didn't make. It would still have passed an MD5 check. What's needed are real digital signatures, both for the builds and checkins. Along with the requirement that developers use a pass phrase to access their signing certificates. Oh, and that the developers sign on a known clean machine. Have fun with that :P

In reality, this sort of thing may have happened many times in commercial software, and no one would know. The source to half-life 2 was leaked when someone broke into the main developer's machine (when he clicked on an executable attachment!). Someone could have used that account to insert malware, rather then leak the game.
posted by delmoi at 7:54 PM on March 5, 2007


> But all of the pre-made templates are too crowded and gross for my taste. Are there any good template resources I should check out?

How about these?
posted by deCadmus at 10:37 PM on March 5, 2007 [5 favorites]


roll truck roll, I'm particularly fond of the Simpla template. Super, super minimalist. Hemingway is also nice.
posted by brundlefly at 1:15 AM on March 6, 2007


Best of the web.
posted by Blazecock Pileon at 4:07 AM on March 6, 2007


I'm still on 2.0.5. I'll eventually get around to upgrading. :)
posted by antifuse at 4:40 AM on March 6, 2007


LOL WordPress. Time to get a real CMS now?
posted by fourcheesemac at 5:14 AM on March 6, 2007


In reality, this sort of thing may have happened many times in commercial software, and no one would know.

OTOH, most commercial software is developed on a private intranet, which cuts down the attacks.
posted by smackfu at 6:26 AM on March 6, 2007


hackers trying to add backdoors to popular open source software

WTF could someone possibly have against the people behind WordPress? I mean, not that hacking is ever right or anything (*inserts CYA statement*) but c'mon - hacking WP? Why? Just so it can be done, or just so someone can be an asshat? I don't understand these people...

fenriq, what does your statement ("this is another one of those signs of much, much worse to come") mean? I'm curious on your thoughts here.
posted by rmm at 8:26 AM on March 6, 2007


rmm: why hack WP? Well, it's a huge installed userbase, and I dunno what this particular hack did, but it sounds like the kind of thing that could be used to setup a nifty difty spam network.
posted by antifuse at 8:33 AM on March 6, 2007


Goddamn it! FUCK. I spent a ton of time over the past few days helping a customer get a WordPress install going.

Now I need to go tear it out and upgrade everything.

Damn little spammer bitches. God, I hate spammers.

Why single out spammers? As antifuse said, large WP installs that run remote code are great for spamming.
posted by drstein at 9:51 AM on March 6, 2007


You shouldn't have to tear anything out; the 2.1.1 to 2.1.2 upgrade touches very little.
posted by mendel at 10:25 AM on March 6, 2007


Thanks a lot, deCadmus and brundlefly. This is inspiring me to try it out again.
posted by roll truck roll at 10:25 AM on March 6, 2007


delmoi writes "In reality, this sort of thing may have happened many times in commercial software, and no one would know."

Like Ken Thompson and the login Trojan in the C compiler?
posted by Mitheral at 6:20 PM on March 6, 2007


« Older The Knitting Machine   |   Unrecoverable. Newer »


This thread has been archived and is closed to new comments