My Blog Hacked, Yet Again – WordPress 2.6.5 Vulnerability / Exploit?

Busted WordPress security. Again, I’ve been hacked. Well, not me personally… I wear the most up to date tinfoil attire, I assure you, and no one is getting into my head… but my blog was. This time I was running WordPress 2.6.5 when it happened.

Those who know me know that I always prefer to do manual upgrades, wiping everything out and starting over completely fresh each time, whether I have been hacked or not. This way if there was an intrusion it should still clean the hack out completely, even if I don’t know it’s there. As it happens, when I upgraded to 2.6.5 from 2.6.2 I did not do this. I merely upgraded the 2 files involved in the security portion of the WP 2.6.5 upgrade (which were wp-includes/feed.php and wp-includes/version.php). However, to date those are still the only two files from that version with a security risk according to WordPress, and I upgraded them well before I was hacked.

I noticed something was wrong earlier this week, after I wrote the post on how to easily find free photo downloads for your blog posts. I was checking to see if the post had any rankings a couple of days later, when I noticed that it wasn’t showing in Google. I don’t mean that it wasn’t ranking, either… I mean it wasn’t showing at all. I checked, and sure enough Google had definitely cached the post shortly after I had published it. It was showing when I did a site: command too. I realized that somethings was weird, however, when I saw that the description for my homepage still showed my post from November as being the snippet in the serps:

Old Smackdown snippet showing in Google

I checked that as well, and just as I thought they had already re-cached the homepage too, which means that showing the old snippet made no sense:

Freshly cached post in Google

Neither the post itself nor the homepage were showing in the serps at all, even for exact phrases unique to those pages, phrases that were showing in Google’s cache, and therefore should have been searchable. My first thought was that I had been penalized for some reason (the conspiracy theorist in me even considered it might be the “PageRank for Sale” alt text on an image from Novembers post 😛 ), so I sent off a couple of Tweets asking people if they saw anything I might have missed.

Luckily, one of the people listening who was kind enough to respond was John Mueller. After telling me that I need to upgrade my tinfoil hat to Mu-metal one (heh, thanks John! 😀 ), he found the issue fairly quickly:

Link to the text-only version of Googles cache of my pages

The link he gave me pointed to the text-only version of Google’s cache of my homepage, and when I scrolled down, sure enough there it was:

Text-only version of Googles cache of Smackdowns homepage

I upgraded last night (complete wipe and reinstall this time), but I’m a little concerned still. Since there has still been no word from WordPress about 2.6.5 being vulnerable, that may mean that it is something that they are completely unaware of, and therefore was carried over into WordPress 2.7. I did some research on other hacked blogs, and while I did find one other 2.6.5 blog and one 2.7, comparing their caches against other older cached pages on the same site it looks like both of those were hacked prior to them upgrading. If anyone else find more information about blogs that have gotten hacked after upgrading to WP 2.6.5 or above, please let me know.

9 thoughts on “My Blog Hacked, Yet Again – WordPress 2.6.5 Vulnerability / Exploit?”

  1. Hi,

    There are lots of ways that you could have been hacked even if the hack wasn’t via the WP “software” itself. Maybe somone got your blog admin or even your ftp login via a previous hack – you should change those. Another possibility is that you had/have a plugin with some sort of vulnerability eg there’s a vulnerability in a popular Adsense plugin.

  2. I did check the plugins. I found sites that were exposed to the same hack I was that had none of the plugins I was using. Every time I have been hacked before it was the WordPress software itself that was the problem, so that is my strongest suspicion. To date, to the best of my knowledge, there has not been a release that an exploit was not found for, at least up until 2.6.5 supposedly. Check out here:
    http://blogsecurity.net/wordpress/blogwatch/blogwatch/
    and here:
    http://blogsecurity.net/wordpress/wordpress-262-snoopy-vulnerability/
    and here:
    http://blogsecurity.net/wordpress/wordpress/

    As I mentioned in the post, mine was the only blog I found running 2.6.5 that was infected, but I was checking manually, and checked less than 100 blogs. I might do some more in-depth research later and see if I can dig up more info on it.

  3. same thing happend to me. was on 2.6.5 i think too.

    wordpress forums are pretty useless for help ans it is never wp’s fault (yet they find some reason to release an update every other week).

    lost my serp’s too. damn …

  4. Check out WordPress Firewall: http://www.seoegghead.com/blog/seo/stop-hackers-with-our-wordpress-firewall-plugin-v12-p544.html

    Let me know if you want me to look into it. Many plugins _do_ totally suck from a security standpoint, but you say it wasn’t a plugin. Hrm. Do you have logs?

    Look at Matt’s comment on this below blog post … and the other comments. I think Anil is totally unfair, but he has a point.

    http://www.movabletype.com/blog/2008/06/movable-type-a-history-of-secu.html

  5. I’m still seeing the spammy links when I look at the cached text version of the page, and it was last cached on February 2nd. Why would that be?

  6. I’ve experienced the same thing. First learned of it when Google e-mailed to tell me they were going to delist me because of spam on my site. I was running. 2.7.1 at the time. I upgraded to 2.8 using the WP based upgrade (not a clean wipe). The span was gone. Then yesterday it reappeared. Different ads but clearly the same exploit. I have tried disabling all plugins to no avail. Since it went away after an upgrade, it’s pretty clear this is a WP problem, but I can’t find the script that’s doing it.

    Any help would be greatly appreciated.

Leave a Comment

*