I have spent the majority of this week fighting off an attack on WordPress (WP). After a lot of searching and some really helpful friends, I believe we have kicked this virus to the curb. Basically this attack exploits an open vulnerability in WordPress admin. Specifically, the “options.php” file inside the admin directory. From what I have found, this has not been fixed even in the most recent versions of WP. The program left behind in the attack is called Magic Include Shell and it’s a nasty little bugger.
Magic Include Shell gives an attacker the equivalent to console access, which means that the attacker can upload and execute arbitrary code. In other words, one should be extremely careful to ensure that the problem has been fully mitigated. I will attempt to cover the basics on the symptoms, removal and prevention of this nasty little bug.
Here’s the breakdown:
If you are suddenly not able to post to your WP blog meaning all you get is a blank screen after you post and the post doesn’t save to the DB, you could have been attacked. Look through your admin to see if any of the symptoms are there, if so, there’s a set of steps you need to follow to remove the intrusion.
Thanks to a lot of help from the boys over at Media Temple, this little exploit has been protected (for now). Hopefully the WP crew is working on this and will fix it in the next release. Until then, we gotta protect our WP with a little extra server-side assistance.
Hopefully this helps wage the war from what appears to be a Russian born WP virus. We’ll see, but for now, if you are having this problem, hopefully this little article helps you out. If you know of any other exploits and how to fix them, please post links via comments below. My fingers are crossed. Let’s hope this works!