• On MovieTome: See the villain of IRON MAN 2!
advertisementGet Smart about Business Spending
September 5, 2009 2:25 PM PDT

WordPress blogs falling prey to worm

by Jennifer Guevin
  • Font size
  • Print
  • 8 comments

A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software, according to a post by Matt Mullenweg, founding developer of WordPress.

The worm can be tough to catch, as Mullenweg explains: "it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."

The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making dubious progress by the hour.

The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.

Users can find upgrade links and instructions here. WordPress has also posted an FAQ for people who think their blog has been hacked.

Jennifer Guevin is assistant managing editor of CNET News. She focuses on science and green tech. But she also makes the occasional contribution to CNET's kitchen gadgets blog or writes about the latest Web distraction. Once a week, she takes the mic as host of CNET's Daily News Podcast. E-mail Jennifer.
Topics:

Vulnerabilities and attacks

Tags:

WordPress,

worms

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
Microsoft warns of IE exploit code in the wild
Chrome OS security: 'Sandboxing' and auto updates
E-tailers snagged in marketing 'scam' blame customers
McAfee warns about '12 Scams of Christmas'
Cisco launches iPhone security app
Town to photograph every car that enters and leaves
New Firefox 3.6 beta aims to cut crashes
Facebook adopts new privacy policy
Related
WordPress' sophomore iPhone debut impresses
Jailbreakers beware: iPhone malware evolves rapidly
Jailbroken iPhone? SSH installed? Beware of worms!
Six Apart releases tiny blog tool, TypePad Micro
TrendMicro to 'protect the cloud'
Rick Astley resurrected in iPhone worm
Live blog: Ozzie talks Azure and more
Buzz Out Loud Podcast 1102: We're blocked in China! We made it!
Add a Comment (Log in or register) (8 Comments)
  • prev
  • 1
  • next
by SwissJay September 5, 2009 3:55 PM PDT
Man, sounds like the little robot-spy dude on Transformers :)
Reply to this comment
by JoeF2 September 5, 2009 4:48 PM PDT
I have seen quite a significant number of trackback spam using this hole. Such sites are blocked on sight at my blog now.
Reply to this comment
by zmjman08 September 5, 2009 5:47 PM PDT
If people are stupid or lazy enough not to upgrade their software, then it serves them right.
Reply to this comment
by stubbyns September 6, 2009 12:53 AM PDT
that's the spirit ....
by Lerianis3 September 6, 2009 11:56 AM PDT
Got to agree, but the real thing is why Wordpress doesn't do this AUTOMATICALLY! It seems that would be a wise investment in time and energy.
by unknown unknown September 6, 2009 12:21 PM PDT
@Lerianis3 They do have section in the admin panel that is suppose to download and install wordpress updates, but for the life of me I can not make it work with my hosting. I end up doing it manually via SFTP.
by MichaelBubbo September 6, 2009 3:27 AM PDT
zmjman, it isn't only because people are "stupid or lazy" -- many WordPress self-hosted blogs are utilizing outdated plugins or custom scripts that make their blog go haywire whenever they upgrade to the latest WordPress version.

I just wrote an article on my blog (http://www.michaelbubbo.com) as well as on Posterous (http://bubbo.posterous.com) explaining this very situation.

In a perfect world, no one would use custom themes or scripts and every plugin author would be able to work full-time on their code. Although, in a perfect world, maybe there wouldn't be malicious worms and spam attacking random blogs.

Thanks for spreading the word, Jennifer. It is important that everyone take action ASAP.
Reply to this comment
by gggg sssss September 8, 2009 8:57 PM PDT
say what? And wordpress is NOT microsoft software. WHo knew.that linux software could be compromised.
Reply to this comment
(8 Comments)
  • prev
  • 1
  • next

E-tailers linked to 'scam' blame customers

Priceline, Classmates.com, and Orbitz say customers should read the fine print before complaining about being charged to join loyalty programs they didn't want.

The 411 on early-termination fees

Verizon Wireless has doubled its early-termination fees for smartphones, but what does it mean for the rest of the industry?

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET