Upgrade and new theme
October 27th, 2007 at 19:03 UTC by Steven J. Murdoch
Regular readers may have noticed that Light Blue Touchpaper was down most of today. This was due to the blog being compromised through several Wordpress vulnerabilities. I’ve now cleaned this up, restored from last night’s backups and upgraded Wordpress. A downside is that our various customizations need substantial modification before working again, most notably the theme, which is based on Blix and has not been updated since Wordpress 1.5. Email also will not work due to this bug. I am working on a fix to this and other problems, so please accept my apologies in the mean time.
Entry filed under: Meta
8 comments Add your own
1. Clive Robinson | October 28th, 2007 at 16:07 UTC
Good luck, and I hope things go smothly.
2. Clive Robinson | November 3rd, 2007 at 10:10 UTC
@Steven,
One sugestion for a possible “enhancement”.
Currently it would appear that your search function does not include the posters name. Often this is handy when trying to find related information.
RGR
3. Steven J. Murdoch | November 3rd, 2007 at 22:20 UTC
@Clive
I’m trying, as much as possible, to track the mainline Wordpress distribution. Otherwise each time I upgrade to fix the frequent security problems, my patches break. There is, however, a facility to browse authors posts, for example my posts are at: http://www.lightbluetouchpaper.org/author/sjmurdoch/
You could also try submitting a feature request at Wordpress. Hopefully you’ll have more luck that me with my 2 year old security vulnerability
4. Clive Robinson | November 5th, 2007 at 13:13 UTC
@Steve,
I’ll give it a try you knever know they might listen…
5. paul | November 24th, 2007 at 02:24 UTC
It looks like there is a patch undergoing testing that addresses this. It really does seem overdue.
6. Thomas | November 24th, 2007 at 23:34 UTC
Was it anything like this?
http://justaddwater.dk/2007/11/15/justaddwaterdk-hacked/
7. Steven J. Murdoch | November 25th, 2007 at 01:14 UTC
@Thomas
Very similar. The admin-ajax.php vulnerability was used, the backdoor was placed in /tmp, and then it was loaded as a plugin. The script looks identical too.
However, where your attacker gave up, our one was more successful. He went on to upload a second backdoor, hidden amongst some other uploads, and then attempted to edit some of the Wordpress PHP files (but was prevented).
After I removed the backdoors and changed the passwords, he still came back and tried to add links to some other compromised blogs which were hosting adverts for various pharmaceuticals. After a few days of unsuccessful attempts, he gave up.
8. Thomas | November 26th, 2007 at 00:29 UTC
@Steven
Can you tell me more about this second backdoor you mention? Just to be on the safe side, I want to double-double-check that he didn’t leave anything that I did not discover (even though I’m pretty sure I’m covered - his /tmp backdoor did indeed fail to upload anything).
Leave a Comment
Some HTML allowed:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Subscribe to the comments via RSS Feed