ALERT: WordPress blogs under attack, Users asked to upgrade to 2.8.4

By on

SECURITY BRIEF: Users using an older version of WordPress (that is, before the current version 2.8.4) have been asked to upgrade immediately to the latest version in order to avoid an ongoing attack to users self-hosting their own blog and could lock you out of your account.

While blogs hosted on WordPress.com are not affected as they are upgraded as a new version comes out, the vulnerability is said to be growing by the hour. WordPress is used by governments, huge corporations and other known niche blogs (i.e. Mashable, TechCrunch) all over the world.

The attack, according to Lorelle on WordPress, is exploiting a known security hole in previous versions in the blogging software, allowing the attacker to have administrator access to your account and could get into the database via the pretty permalinks.

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize.

All users are advised to UPGRADE to the latest version, and those who have already been affected, the only fix is to export all of your posts, uninstall and reinstall WordPress and then re-import all your posts. Because it goes all the way to the database level, it is advised that you use a new database as importing the database would also bring your new blog install affected by the code.

WordPress will also release any new updates immediately with further security improvements if the attackers find a new security hole to exploit.