adir1

Word gets around on Internet quickly, but apparently not quickly enough for me. I do recall noticing somewhere a word about small security breach in Wordpress 2.8.2 few days ago, but it wasn’t clear to me that all earlier Wordpress versions were affected, so I did not rush and act right away.

Big mistake, after reading today what happened to Scobleizer (top of Techmeme, so thanks to both for heads up), I rushed to make the most recent backup of my blog and upgrade it to 2.8.4 wordpress. The upgrade itself was quick and painless (as usual with wordpress), and it actually much improved, as auto upgrade of plugins worked flawlessly in this latest edition (haven’t tried full upgrade yet).

I thought I was out of the woods, but reading people’s comments, they mentioned an Admin account, that hackers create for themselves. Not seeing anything in the Users list, I was not worried at first. But then, someone mentioned “hidden” in their comments. So I went to WordPress tables in mySQL and FOUND A HIDDEN ADMIN account created there! Complete, with evidence of crime! The darn trick is as simple as inserting malicious JavaScript which elevated the user to Admin, into their own First Name field!!! I promptly deleted the invader’s account, and hopefully this is the end of that (read below about other things I checked).

I must say I am disappointed with Wordpress security, although it remains the easiest to use and very fast/flexible framework for blog/site. But, haven’t we learned from all SQL injections in the past? Validate Field Lenghts on the Server Side!!! Especially for any input/fields or account registrations that are in World Visible unsecure area!

I know the hack was fixed in 2.8.4, and I haven’t taken the time to review how it was fixed. But, I truly hope this is something they go back and double check elsewhere, as much as possible.

I don’t know if this breach left any other backdoors on my blog, I certainly hope not. Here are some steps I took to review site integrity after following standard Wordpress Upgrade instructions:

• If you do find phantom Admin user in your wp_users table that you don’t recognize, check if that user has wp_user_level of 10 in the wp_usermeta table (same user_id) – Record the offending user_id or IDs (if you have multiple breaches). Promptly remove all records from both tables for that user_id, obviously.
• Review all other tables, especially wp_posts, for found user_id above (called post_author in the wp_posts table). It also helps to review any old posts and check their post_modified field, to check for any recent modifications that you didn’t perform yourself.
• Review your file system for any new files. I presume that you upgrade as per instructions and completely wipe your old wp-admin and wp-include directories before placing new ones there. But, what about wp-content with your Theme, plugins, widgets and uploads? Review these directories as much as possible!
• I have no idea how to review wp_options table and whether anything suspicious may be lurking there – If you have suggestions on this one, post in Comments!

Here are some more links to review from experts and fortify your site as much as possible. Of course, you may also reconsider moving into relative safety and simplicity of hosted blog, such as Wordpress.com and others.

Me, I prefer the “fun” of messing with my own site, and having complete control, seemingly.

UPDATE: Found another older post, but more good suggestions there. For example, I did review my .htaccess file and found it a bit suspicious, so I replaced it. I just forgot to explicitly mention it above. Better stay alert!

UPDATE2: I am still lurking around the Net and reading up on this. Seems that latest vulnerability could also allow someone to reset Admin password of the “default” initial Wordpress account. So, I also took the precaution of resetting that password to something new ASAP. Read up more here.

Mr Scoble, I am really becoming agitated here, and sorry to say, I’m very close to unsubscribing from your otherwise excellent blog.

I’ve been reading your blog for many months (years?), but this latest trend of just linking to Videos is not working for me! Really, this latest video is 20 minutes!!!

Remember the video where you showed off your awesome feed reading skills? Browsing hundreds of feeds within minutes? Can you afford same courtesy to others? With all due respect, is it correct to demand others to spend 20 minutes just on your single post?

Just to summarize, I respect your opinions, how ever rebellious (unorthodox? futuristic?) they are. I draw my own conclusions, and I will never be the one to say they are wrong.

I believe that everyone is entitled to an opinion and to their unique angle of looking at things. In fact, I can see where up to 40% of links, information, services, solutions and other things people use search engines for today will be coming from friends via social networking in the future. But, for the other 60% of unusual, unsocial and such searches will still need to happen via Google, IMHO. But, maybe I have my percentages all wrong and it’s the other way around, we’ll just have to wait and see!

Back to the main topic — Blog is where the conversations originate, really. Kyte.tv party line chat is not effective means of communications! And uploading our own videos there can only end up creating 10 hours of conversational material, totally unedited and unwatchable.

And before you blame this rant of mine on ADD, consider that the likes of Jennifer Love Hewitt competes on broadcast TV (CBS) with your video for our attention, so I hope you understand that it’s nothing personal.

To summarize, even if you continue to insist on posting videos, all I ask for is a short transcript with key meaning in your blog also.

UPDATE: Scoble decided to answer on Pownce, since it’s faster, I’m guessing