Sneaky Bastard » WordPress

Quick WordPress Intrusion Detection

joseph — Tue, 08 Sep 2009 02:17:23 +0000

To satisfy my curiosity after the increase in worm activity affecting WordPress websites, I decided to run a quick query of the wp_users table in all the WordPress databases on a server. Adjust the database names as necessary, and create a MySQL password file as /root/.my.cnf before running the loop:

for U in adam baker charlie delta; do DB="${U}_wordpress" echo "Database: $DB" sudo -H mysql -D $DB -e " SELECT u.user_login, u.user_registered, um.meta_value FROM wp_users u INNER JOIN wp_usermeta um ON (u.id = um.user_id) WHERE um.meta_key = 'wp_capabilities' ORDER BY u.user_registered DESC" echo "" done

The output will show the most recently created user accounts for each WordPress installation. Apparently the current worm creates an administrator account called “Administrator (2)” that is used to login and make changes to the site. I don’t know if that string appears in the nickname field, or what, so I didn’t query for it explicitly.

Weird WordPress Problem in ThickBox CSS

joseph — Fri, 31 Jul 2009 16:44:52 +0000

For some bizarre reason, the ThickBox CSS file (/wp-includes/js/thickbox/thickbox.css) was hanging display of the administrative interface. An HTTP request for the file would not get a response — I even tried connecting via telnet and typing the request by hand. I moved the file elsewhere and made the same request; the WordPress PHP handler correctly responded with the theme’s 404 page. I put a placeholder file in place, and it worked fine.

The solution was to remove the CSS comments in the stylesheet. I don’t know why this would cause trouble at the web server level. Makes no sense.

/* -------------------------------------------------------------*/ /* ---->>> thickbox specific link and font settings <<<---------*/ /* -------------------------------------------------------------*/ ... /* -------------------------------------------------------------*/ /* ---->> thickbox settings <<<---------------------------------*/ /* -------------------------------------------------------------*/ ...

Updating WordPress

joseph — Sat, 11 Jul 2009 02:43:14 +0000

The release of WordPress 2.8.1 was announced this week. I thought it would be useful to other WordPress users, and provide a good history for myself, to document how I do the update. I first visit the WordPress Download page and copy the URL for the tarball; currently it’s a link to latest.tar.gz, but who knows if that will always redirect to the correct release. With the URL in the clipboard, I switch to my SSH terminal window. I change to my ~/src directory and use wget to download the file and extract the tarball right there. I then use rsync to update the files from the new release to my production site. Here’s the process:

cd ~/src wget http://wordpress.org/latest.tar.gz tar -zxf wordpress-*.tar.gz rsync -niruW wordpress/ ~/websites/sneakybastard.com/ # looks reasonable, run it rsync -ruW wordpress/ ~/websites/sneakybastard.com/

The -n options it to perform a dry-run. I like to see what it plans to do before committing. It’s not a bad idea to clean up the permissions on the wp-content directory too.

cd ~/websites/sneakybastard.com sudo chown -R slappy wp-content sudo chgrp -R apache wp-content sudo find wp-content -type d -exec chmod 2775 {} \; sudo find wp-content -type f -exec chmod 0664 {} \;

The permissions allow file uploads through PHP as the apache user, while the shell account user can make changes to theme and plugin files.