Earlier today I was shocked to discover that all of the links on my Dollhouse fansite – WatchingDollhouse.com were broken. After doing a bit of digging I soon found out that my entire permalink structure had been reset to the default setting, resulting in none of my post links working. I quickly went about re-applying my custom “/%postname%/” structure (Settings>Permalinks>Custom Structure) whilst wondering what (or who) had been inside my admin panel.
Well, mystery solved – this just in from Wordpress:
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.
I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.
A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)
2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.
I was running 2.7.1. I was a victim of the worm attack. Creepy to say the least, knowing that something has been silently sneaking around my admin panel. After re-applying my custom permalink settings and updating my .htaccess everything seemed to go back to normal, however I’m still running a thorough check just to be on the safe side! Now it’s time to upgrade my other blogs, including this one, that are running on 2.7.1.
Lesson learned! If you’re running on an old version of Wordpress, I advise you to update now to avoid any malicious action and removal from google, and keep an eye out for official Wordpress updates.
