News and Commentary on Politics, Media and Culture

A couple of days ago I upgraded all the WordPress domains that I host on my servers when BAM! The dashboard was still giving me the notification that an upgrade was available and that my current version was 2.5.0. This message appeared on quite a few blogs that I host but not all even though each upgrade was followed by a prompt to upgrade my database (2.5.1 included a security fix to strength the password keys).

Not believing that I failed to upgrade but willing to give it the benefit of the doubt I reran my upgrade scripts on the domains in question to no avail. The WordPress version file also showed that I was at 2.5.1 even though the dashboard said otherwise.

After much digging around and trial and error I discovered that many people were having the same error. Well it turns out that my blogs had been somewhat hacked by an exploit that is detailed here. The exploit creates phantom users, phantom plugins and modifies some core files to allegedly get user information from your database and use that for spam. It also drops some .gg executable files in open directories. Not good.

The signs are simple to spot as long as you have access to your database. The users table will show a phantom user simply named “Wordpress”. This user does not show up on your admin screens in the blog, thus the term phantom.

The second indication is also the fix once removed. It comes via a phantom active plugin in the options table. This came in the form of a big string like ./../../../../../../../tmp. I don’t know how the string got there, perhaps an installation bug or artifact or a plugin installed left it behind. Who knows. I didn not find this string in the databases of blogs that did not exhibit this upgrade issue. THis active plugin does not show up on the plugins page so there is no way to disable it via the admin screens.

Obviously removing the user called ‘Wordpress’ shouldn’t fix anything so I believe the fix for me occurred when I manually removed the phantom active plugin from the database column for active plugins. When I removed that entry all of my plugins became disabled so perhaps I munged the edit. I re-enabled them through the admin console and it was fine as were the blogs in question. In retrospect I would have manually disabled all the plugins through the admin console and then checked to see if that string was still in the database. If so I would have removed it at that time. In any event it worked for me and many others have indicated that the solution worked for them as well.

However you are not quite done yet. You still have to clean up after the exploit that put the stuff there in the first place. Please follow all the steps outlined here in addition to removing the phantom plugin.

For those interested you can read all my comments in the WordPress support forum regarding this fix. My user name is SoundTrip.

 Send this post a Friend  Tags: bug, exploit, hack, upgrade, Wordpress, WP 2.5

Trackback URI | Comments RSS