• On TV.com: MEGAN FOX Photos
September 5, 2009 2:25 PM PDT

WordPress blogs falling prey to worm

by Jennifer Guevin
  • Font size
  • Print
  • 8 comments

A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software, according to a post by Matt Mullenweg, founding developer of WordPress.

The worm can be tough to catch, as Mullenweg explains: "it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."

The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making dubious progress by the hour.

The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.

Users can find upgrade links and instructions here. WordPress has also posted an FAQ for people who think their blog has been hacked.

Jennifer Guevin is assistant managing editor of CNET News. She focuses on science and green tech. But she also makes the occasional contribution to CNET's kitchen gadgets blog or writes about the latest Web distraction. Once a week, she takes the mic as host of CNET's Daily News Podcast. E-mail Jennifer.
Topics:

Vulnerabilities and attacks

Tags:

WordPress,

worms

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
Log in with your face
See what's under McAfee's new interface
26 Windows, Office holes patched in 13 bulletins
McAfee: Spammers exploiting more news stories
Microsoft, Google split over browser bug bounty
Verizon temporarily blocks some 4chan sites
Security software maker Vitamin D exits beta
China breaks up Black Hawk hacking ring
Related
Web searches for iPad leading to malicous sites
Migrate your Web site
In their words: Experts weigh in on Mac vs. PC security
Google China insiders may have helped with attack
Microsoft: 'Humbling' that IE 8 top browser
Microsoft fixes 8 IE holes, including one used in attacks
Mozilla yanks infected add-ons, warns users
Browse safely in Internet Explorer
Add a Comment (Log in or register) (8 Comments)
  • prev
  • next
by SwissJay September 5, 2009 3:55 PM PDT
Man, sounds like the little robot-spy dude on Transformers :)
Reply to this comment
by JoeF2 September 5, 2009 4:48 PM PDT
I have seen quite a significant number of trackback spam using this hole. Such sites are blocked on sight at my blog now.
Reply to this comment
by zmjman08 September 5, 2009 5:47 PM PDT
If people are stupid or lazy enough not to upgrade their software, then it serves them right.
Reply to this comment
by stubbyns September 6, 2009 12:53 AM PDT
that's the spirit ....
by Lerianis3 September 6, 2009 11:56 AM PDT
Got to agree, but the real thing is why Wordpress doesn't do this AUTOMATICALLY! It seems that would be a wise investment in time and energy.
by unknown unknown September 6, 2009 12:21 PM PDT
@Lerianis3 They do have section in the admin panel that is suppose to download and install wordpress updates, but for the life of me I can not make it work with my hosting. I end up doing it manually via SFTP.
by MichaelBubbo September 6, 2009 3:27 AM PDT
zmjman, it isn't only because people are "stupid or lazy" -- many WordPress self-hosted blogs are utilizing outdated plugins or custom scripts that make their blog go haywire whenever they upgrade to the latest WordPress version.<br /><br />I just wrote an article on my blog (http://www.michaelbubbo.com) as well as on Posterous (http://bubbo.posterous.com) explaining this very situation.<br /><br />In a perfect world, no one would use custom themes or scripts and every plugin author would be able to work full-time on their code. Although, in a perfect world, maybe there wouldn't be malicious worms and spam attacking random blogs.<br /><br />Thanks for spreading the word, Jennifer. It is important that everyone take action ASAP.
Reply to this comment
by gggg sssss September 8, 2009 8:57 PM PDT
say what? And wordpress is NOT microsoft software. WHo knew.that linux software could be compromised.
Reply to this comment
(8 Comments)
  • prev
  • next
advertisement

Google's social side aims for some Buzz

Facebook and Twitter are the darlings of the social-media world, not Google--which hopes to change that with Buzz, betting it can organize your online social life.

Watching the birth of a gaming start-up

Stewart Butterfield and his friends are back at it with a new company. CNET's Daniel Terdiman was given exclusive, behind-the-scenes access as they built it from scratch.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET