Wordpress 2.1.1 Dangerous, Upgrade Now!
This just came in across the Wordpress dashboard. Thanks to Nick Mercer for emailing me about it as well.
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.
It vital that you upgrade to Wordpress 2.1.2 now. Don’t wait, just do it! Then again, if you upgraded to 2.1.1 before the cracker got in and hacked the codes, you should be OK, but why take the chance?
Tweet This Post!
- Posted in Wordpress
- 111 comments what's your take?
 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |||||||||||||
| By N2H | |||||||||||||||||||||||||||||||||||||||||||||||
Related posts from the blog
Trackbacks
- Upgrade Immediately to Wordpress 2.1.2! | Stephen Fung DOT NET - March 2, 2007 at 2:58 pm
- The Flow of Consciousness » Upgrade immediately to Wordpress 2.1.2 - March 2, 2007 at 4:20 pm
- links for 2007-03-03 | On Influence and Automation - March 2, 2007 at 5:26 pm
- Firefox 2’s Spell Check Working In Wordpress 2.1.2! | Samanathon.com - March 2, 2007 at 5:29 pm
- Wordpress 2.1.1 Security Exploit at Clever Start - March 3, 2007 at 3:01 am
- Wordpress 2.1.1 Dangerous you might be exploited at mscholars blog - March 3, 2007 at 3:51 am
- DropsTech.org - March 3, 2007 at 7:27 am
- My Satellite Tracking Blog » WP 2.1.2 and Blog Adiction - March 3, 2007 at 3:09 pm
- Nomadishere : Seeker of Truth » Blog Archive » links for 2007-03-06 - March 6, 2007 at 3:36 pm
Loading ...
Wow. Another one???
Do you mean “another version” of WordPress or another cracker?!
I only ask because I haven’t heard of cracked WordPress installs and was wondering if it’s happened before.
This was the reason why I choose Blogger over WP in response to a comment in my latest post.
I don’t like blogger, for me it’s worst than wordpress.
Well, WP may be open-source and vulnerable to attackers, yet it offers more flexibility and has more stuff to play around with. I left blogger for WP too.
There is always a downside of everything.It matters what you want and what you dont.Bloggers are not easy to digg in because of the tough API.People will get wordpress easy anytime and with so many plugins its a heaven
Naa, Wordpress is far more flexible IMO
Yes…version. But obviously needed.
See, I knew being slow with upgrades would come in handy
Lol! I’ve been sort of the same way, most of my sites are using versions from two updates ago… I’m going to upgrade hopefully all of them to the latest version now.
Yea, But i was misled to do the upgrade in my case. When i came to the wp-admin page before I slept for the night, it prompt a “Upgrade to 2.1.1) and I clicked it. Sigh.. wished I had never done it.
Being fast with upgrades is handier, you would everwrite this evil hack as a matter of course. I was reading about another blog which was hacked recently – the solution to the problem – upgrade….
Oh man! Thanks for the heads up John!
I’m backing up may database as we speak (or, as I type)!
Backing up?? The database??
Of course!
Don’t you make backups of your entire blog?!?!?
What’s a backup. (kidding, of course)
oh oh…ilker, backups are a daily task you allways must do!
Agreed – although, I don’t do a daily backup. It’s more weekly for me.
I know my host does nightly backups – I wonder if I could get a copy of the database from them if there was a problem…
Yea. Depending on how often you write, it is a good idea to backup your entire database some frequently. It does not take much time either.
In case of a server crash, or hacked attempt, you go less far back in restoring your files just before the things happen.
The backup process is pretty quick!
And, if you have a local copy of your entire blog, then restoring your site wouldn’t take much effort on your part because you’ve already done a lot of the leg work!
do you do that with PhpMyAdmin or just use the wordpress tool for a file backup, being lazy I only ever do the latter
Good thing I checked your blog first, I was about to download WordPress 2.1.1 for setting up another blog.
Thanks for the heads up, I think I’ll wait a bit.
Das Brain
MoneyAccumulator.com
Well, you wouldn’t have been able to download the corrupted version of 2.1.1. The archived version would be the clean one!
Yeah i hope they are clear.But anyways ppl will always doubt on WP downloads now
Woo for Custom Blog Scripts!
Phew..I was just about to update today. I didn’t have time and had a few plugins that I wasn’t sure would work in 2.1.1. I’m glad I waited now
Hmmm.. so plugins don’t work all the time, eh?
No, they do work all the time.
Sometimes, when you upgrade to a newer version of WordPress some plugins become unstable – but this is true of anything in the computer world, ie Vista and drivers
Most plugin authors are quick to rewrite their code before an upgrade is released to there won’t be a compatibility problem, most but not all.
They sometimes conflict though, Ive added the star rating only to find it kills threaded comments, I did modify some of the code myself tho
Boy … talk about a devious backdoor exploit! You’re a champ for posting this to your blog … imagine how many professional and amateur bloggers alike have vulnerable sites right now but don’t know it.
Scary indeed.
I have logged into Wordpress a few times today but I don’t visit the Dashboard to often, I use direct links to write and edit!
I guess the cost of open source is vulnerabilities even for short time periods..
Um, vulnerabilities are there in every program, it just takes time to find them.
How many viruses and backdoors came out last year?
Thousands of them! Even paid software have vulnerabilities and exploits. Like Windows for instance…
forget about virus you will have smart viruses this year.Just wait for the year down
What do you mean by ’smart viruses’?
Blogger has been hacked too…
http://it.slashdot.org/article.pl?sid=02/10/25/1658229&mode=thread&tid=172
As we speak this very moment, there are still many vulnerable targets to be pondered on by the crackers. What an exploit by those people!
They’re relentless: Hackers target Symantec>
Thanks for the heads up.
Done… although I did so earlier today before you posted this blog, but thanks for the info. because I was unaware of the exploit!
allways the hackers
! thanks for the warning
One of the main reasons I don’t immediately upgrade to new versions of software. I usually allow things to go “mainstream” before performing upgrades because no matter how much testing (we’ll in this case it wasn’t because of lack of testing) when software is released, people are bound to experience more problems if they exist once the software is streamlined to consumers.
Maybe you didn’t read John’s post… but this is because someone modified the code a few days ago… not the original release!
Maybe you didn’t read the entire comment you’re replying to!
“(we’ll in this case it wasn’t because of lack of testing)“
Sounds to me like what I do for Window releases. Like Vista! I had Ultimate for 15mins and back to WinXP. Think I’ll wait till SP1
As for Wordpress that’s definitely no fun! I mean having to update with a security patch
Yeah, but it was an easy upgrade – and there were new features!
Then why do people get scared to do updates with Wordpress if you say it was an easy upgrade. Isn’t it usually just replacing a couple of files with new versions?
I guess its mainly the plugins people don’t like to mess around with.
Very easy, full instructions on WP site, takes 5 – 10 mins
Yea, it was no mistake by the staff of WP. It was crackers that crack up the script this time. Not much a matter of going along with the ‘mainstream;.
Thats one good point.Even i prefer to upgrade till a stable version comes up but then they ask to update with security patches.that sucks big times
Wow that’s not good.
I hope they included my JavaScript spacing fix with 2.1.2.
Dream on.
didnt see any points on that .Good luck next time
I was just finishing my post on The Secret Truth About The Plugins Security when I found out about Wordpress 2.1.1.
That’s why I never rush to upgrade to a new version as soon as it’s been released.
Thanks for posting this John, I check your RSS feed first
I did happen to upgrade one of my sites to 2.1.1 just last a few nights ago… so I’m just going to upgrade all of them to 2.1.2 now.
Shit happens I suppose but this is a major blow to the credibility of the folks at Wordpress.
Who’s to say that their servers are not further compromised or that the currently released version 2.1.2 isn’t in fact a release that was compromised along with the announcement asking users to upgrade? Put that in your pipe and smoke it.
I’m going back to notepad local…unplugging from my router.
“major blow to the credibility of the folks at Wordpress”
How? They got hacked! It’s not like they put the malicious code in there.
Exactly, they got hacked and the download release for version 2.1.1 was compromised with malicious code added to it. Why do you think they are urging everyone to upgrade so urgently?
This is a wordpress ‘red-alert’. It doesn’t get anymore urgent than this. Any one of us running version 2.1.1 could very well be running the modified version and be wide open to whoever has the knowledge and the desire to mess up your site.
This begs the question, what was the nature of this malicious code and what does it allow this individual to do?
Also, even after we upgrade to 2.12, there is always the possibility that the evildoers have already messed up your wordpress db and added in some other malicious code. I haven’t seen any mention of this yet and the only way to be sure would be to go through your tables individually….yeah right.
Tomorrow it will come out with a new version and more bugs – thus the life of the internet.
I agree that it is a little hard to believe which story is the real thing. Like what you may suggest, the story to upgrade once again may be put up by the hacker.
I believe, give WP sometime and they may explain how it happens, what it does and the measures that they are taking to prevent it.
Besides the point, there will always be smarter people lurking around in the corners of the world, and it would be hard to beat all the crackers out there.
there is always the possibility that the evildoers have already messed up your wordpress db and added in some other malicious code
While it’s a possibility, I’m sure the Wordpress crew is checking their server logs and patching any holes!
yeah they have a major blow there.I hope they come out with something good
I just spread the word on my blog Thanks for the pointer.
May be prudent for folks to change passwords for their Wordpress db (update wp-config.php accordingly of course) and perhaps even existing WP user passwords.
I agree. Treat your blog like one of your internet-banking accounts. Frequently change your passwords, and keep them secure. I had personally learned a lesson from that. Tough luck.
they should add one feature that can email them telling your password expires in 10 days.That will keep them to toe
That’s a really great idea – one I had never thought off…
Thanks!
Good point, have not done this yet
… NOT AGAIN… AAHHH
Yea I got hacked since last night. To be exact, it was 18 hours ago. Was spending the past hour trying to reinstall WP, and restoring my blog entries. What a wastage of time! grr..
You got hacked? Was your blog defaced or anything otherwise obvious? If not, how do you know you were ‘hacked’?
Yes my site was defaced. I had it up showing on my blog as a warning to the rest of the other 2.1.1 to quickly do their upgrade. No kidding.
That sucks – hey, atleast you got it fixed and your good to go now
That does suck!! I’d love to see a screen cap though, just to see what it looked like.
Oh, I see you have one on your site – sorry!
dang! that must have sucked big time.Do you take backup every day if not start doing
Wow. Good thing I never moved onto that version!
I didn’t have to worry about version 2.1.1, since I never got around to it this week, but I upgraded to 2.1.2 anyway. I was surprised that DreamHost got around to adding it to their one click installs so quickly. As an added bonus, their interface got a facelift in the past few days as well. Kudos to DreamHost, I highly recommend them!
I heard about it too.But do they over rite a complete folder or do they digg down the folder and then replace? SO in case if i have a folder inside it doenst get deleted
Most sites aren’t big enough people are even going to worry about hacking them – it’s just a matter of how so many people try to ruin it for those who make their living off the internet.
I agree. When there is a loophole in the process, what’s stopping those people from bullying, the weak or the strong?
Thats the course of nature when it comes to the internet – constantly those trying to find loopholes and hacks – but for what reason? Just to be famous for 5 minutes and then fade away?
I get that question all the time from layman about hackers: “Why do they do it?”
It really does seem silly, we’ll forget their name in an hour – unless we were the one to get hacked…
Thats exactly the point – infamous hackers go down in history – How many people don’t know who Kevin Mitnick is?
Wordpress is huge – but a hack on wordpress will not make you go down in history, it will just make you be talked about for a day and then forgotten.
Yea you are right. I am never gonna forget the ‘name’ of the one that did that to me.. Well, for a while, that is.
Its not about being famous,Its more about passions.Like you like to blog they like to find hacks and they do it..may be for money but its a passion
You will never know what is on their minds or what they are thinking at the moment. Funny creatures, they are. Besides the point, there’s a television program that is entitled 5mins of fame, for those people to indulge in a little of fame.
5 Minutes of fame – I don’t understand why it’s so needed?
5 Minutes makes you nothing – having a long term knowledge of who you are is what matters. I guess people need to learn that before all this silly crap will stop happening.
Thanks for letting me know
thanks for the warning, I’ve got to update mine ASAP
Hi, I’d just like to point you towards my article on Upgrading WordPress via Shell for those who have SSH access to their accounts.
That one is really good i read that.But still i would like to do manually.I better know what i am doing
Really glad you posted this, I recently did an install for a friend with a download taken at this time, nasty stuff, easily upgraded fortunately
LOL.. “the Root of All Evil himself”
You cannot run no more from your new nickname john
“Root Of All Evil” AKA “ROAE” or “John, The ROAE”
I wonder if we can SEO those keywords to have johnchow.com come to a number one spot.
That would be a great Google Bomb!
I’m game for a Google bomb.
I am gamed too as well. So.. who else is starting one?
well, if you wanted to start one, all you would have to do is make that the link: The Root Of All Evil