RSS 
Email 
Twitter
FacebookWordPress Worm Requires Upgrade to 2.8.4
September 7th, 2009 | Posted in WordPress 9 Comments »
I woke up from my long Sunday nap to see all kinds of commotion about upgrading WordPress to 2.8.4 due to a worm that is currently circulating. The WordPress blog reports:
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
Upgrading to 2.8.4 is pretty easy and won’t take more than 5 minutes. Here’s the process I recommend:
- Back up your database. If you don’t already have a WordPress backup plugin, go to Plugins > Add New and install WP-dbmanager. With some web hosts, this plugin doesn’t seem to work. If that’s the case, use WP-DB-Backup. When you back up your database using one of these plugins, you’ll be prompted to download an sql file (which contains all the content from your posts, pages, comments, and settings).
- Go to Tools > Upgrade and click Upgrade Automatically. If you receive an error here, deactivate all your plugins and try it again.
That’s it. If for some reason the above method for upgrading doesn’t work, you can upgrade manually by deleting your wp-admin and wp-includes folders and all the files in your root except wp-config.php, .htaccess, and the wp-content folder. Then just download the latest version from wordpress.org and FTP the files as replacements. It always freaks me out to hit the delete key in there and see dozens of files disappear , but just remember that your content is stored in a MySQL database, not in the WordPress files.
Here’s one other security measure. If you’ve had your blog for a while (a year or more), download wp-confiig.php (this file is in your root and contains important database information) and make sure you have the latest security statements in there (compare with wp-config.php from the latest WP download). You can generate some random security strings here.
While you’re upgrading, look at your list of plugins. Most likely a few of them have updates that you can apply by clicking Update Automatically next to each plugin.
If you need help upgrading your WordPress blog, let me know. If you’re a personal friend, I may do it for free.
Hi Tom. Great post. However, if you’ve already been attacked, the hack goes deep into your WordPress database, so upgrading is not an immediate option; you’ll have to clean up the database first. Lorelle give some tips on (1) recognizing when you’ve been hacked and (2) cleaning up your database after a hack. You can find them at http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/
- Judy
Judy, thanks for the comment and link to Lorelle’s post. Her post is a lot more informative, especially on how to diagnose whether you’re already infected.
[...] Background: The WordPress Worm struck the old Area 224 site. It struck quite a few sites. Here’s a great write-up on what happened from an appropriately named site: I’d Rather Be Writing. [...]
I did suffer from the attack and was very confused what to do and what not. It got to know now that i need to clear up my data base and make it correct again. Thank God i came to this post and i gt saved.
Sorry to hear that you were attacked, but my post doesn’t really explain how to recover, just how to prevent. Lorelle’s post has more about recovering.
Great post. Got me to update my system, which I needed to do manually. But, it worked, and the new version has some nice features (best being automatic update of plugins), so I should kick myself for waiting so long.
One thing I noticed in updating manually. I had a couple of other things going in my home directory (e.g., phplist), so the instructions to delete everything really meant (for me) to delete everything wordpress related (other than the exceptions noted).
Thanks, Tom, for making this information available to your readers.
Richard, thanks for pointing out that users shouldn’t delete everything in their root directory. You’re definitely right. I made such a quick description of the task, I didn’t think anyone would actually follow my instructions. You must have had an old version of WP if you had to upgrade manually. The new automatic upgrade is a huge relief, given how often new versions are released.
Here the souce code of what the “worm” install ..
I have deobfuscate the nested base64 encoding and I’ve posted the source code …
you can use it to backup files and mysql dbs
Have fun
http://pastebin.com/f3c5ad549
Thanks Simone. I’m sure that will be helpful to anyone whose site was hacked.