hacked?

wordpress.org goes down. The forums are gone and the ideas forum is throwing a ‘cannot connect to DB’ error message. Concurrently, Matt posts to all lists advising everyone on 2.1.1 to upgrade to the as yet unannounced 2.1.2. How long ago was 2.1.1 announced? Ten days, according to one of my randomly selected dashboards.

I’m not saying these facts are connected, but if bad stuff has happened to your site and you then urgently tell everyone to upgrade, what are we supposed to think?

edited: apparently the server was insecure rather than the code. This is comforting.

Oh. I’m on one of their servers. Maybe not so much.

14 Comments »

  1. engtech said

    The joy of being popular, means you’re being targeted.

  2. Collin said

    Read the latest blog announcement on wp.org?😉

  3. engtech said

    Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

    Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

    I like that the distinction was made between hacker/cracker.

  4. Oh, they’re pretty big on the hacker/cracker distinction. Besides which, if they said ‘hacker’, people would think it was some disaffected plugin author who got snubbed on wp-hackers😉

  5. There is one security fix in 2.1.2 (XSS, publicly known), but that was not the impetus for the rushed release. Even without the XSS hole, we’d have to release. If we just fixed the 2.1.1 file that was edited by the malevolent one, users have no easy way of knowing if their copy of 2.1.1 is vulnerable or not. Best to assume that all copies of 2.1.1 downloaded from wp.org are vulnerable.

  6. Best to assume that all copies of 2.1.1 downloaded from wp.org are vulnerable.

    Agreed. The timescale of ‘3-4 days’ since the breach is too vague, and the time since 2.1.1 was first released too short, for anyone sensibly to assume anything else.

    The concern here is that a lot of people appear to be seeing the compromise of 2.1.1 as vindication of their refusal to upgrade the moment a new release comes out, when actually this is totally unrelated to the wordpress habit of putting out a new security release every couple of weeks. It could have happened at any time (though, granted, just after a new release is the optimum time for an attack like this because more people are going to download the backdoored code).

    This also, incidentally, is a good illustration of why the dashboard should be reserved for official news from wordpress.org rather than the pimping of new plugins or Mike Little saying happy birthday to his cat. Signal v. noise, people. You need a channel to communicate urgent news like this to all users, and clogging it up with traffic-seeking tat just encourages people to disable it altogether.

    [goes to look for a plugin that filters the noise]

  7. AJ said

    You forgot to include Bbpress blog comments as well.

  8. I don’t see anything about this on the bbpress blog or in comments. Just a new release that came out the same day as 2.1.1.

    I very much doubt that anyone would bother screwing with the bbpress download, but this may be because I have trouble taking bbpress seriously. I’ve spent too much time on support forums that look like hell and don’t have a decent search function to see it as anything but an extra plaything for diehard WP fanboys.

  9. AJ said

    I was not clear. I meant the BBpress blog comments are now showing up in the dashboard increasing the noise there..

  10. Really? Why? Do they honestly think anyone cares about bbpress news? I mean, if I don’t care about it it’s a safe bet that 99.99999% of all the other wordpressers don’t care about it either, leaving only Matt, a couple of fanboys determined to suck up to Matt and the odd career moderator.

  11. Root said

    @tga: you need to get out more🙂

  12. spencerp said

    I like using bbPress myself, and not because of the “who made it” deal either. It’s actually growing pretty rapidly, and offers basically the same functions as other bigger forum softwares out there today. It also integrates nicely into WP, where most others don’t…

    However, I have to agree though. When I first seen all those “news posts” in the WP dashboard, I was thinking “Oh Jesus, are we going to be getting all these now to?”… IMHO, it wouldn’t be so bad if it was just ONE major news post, but, not every one that’s made on the bbPress site LOL!

    What they *should do* is, have the bbPress dashboard setup like WP’s, and go nuts on including the bbPress news to that, and maybe add some others as well…? The WP dash should include mainly news about WP itself, not bring tons of news about other softwares as such. Yeah, yeah, I know… got the two babies but only one crib. Oh well…

  13. engtech said

    This also, incidentally, is a good illustration of why the dashboard should be reserved for official news from wordpress.org rather than the pimping of new plugins or Mike Little saying happy birthday to his cat. Signal v. noise, people. You need a channel to communicate urgent news like this to all users, and clogging it up with traffic-seeking tat just encourages people to disable it altogether.

    Well put.

    I’ve been thinking about how to pimp out update information on my Tag Cloud Generator for WP.com app and played around with the idea of going with an RSS feed (most people don’t use RSS), email subscriptions (gets caught by spam filters), and having the program automatically grab a small “release notes” file on boot up to display to the user anything new (like the WP dashboard).

    I agree that the last method is the most effective, but only if the signal-to-noise ratio is very low.

  14. […] why are you still downloading software in which holes are found every month from a server which was compromised earlier this year? And if you’re so worried about privacy, why are you using software that has a […]

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s