Vulnérabibilité WordPress : /iframe/wp-stats.php

badware malveillantDepuis hier certains utilisateurs ont des messages bizarre en accédant à un de mes sites.

Le message vient de l’anti virus Kaperski :

découvert : cheval de Troie URL:

Ce que vous devez faire dans l’urgence :

  1. Supprimer ou renommer xmlrpc.php pour que l’on ne puisse plus accéder à votre blog par ce biais.
  2. Chercher quels sont les articles infestés en affichant la source de la page et en cherchent dedans la chaine « iframe ». Nettoyer déjà ces articles.
  3. Demander un réexamen de votre site à qui aura sans doute déjà commencer à empêcher l’accès à votre site via Google. Connectez-vous à votre compte Google Webmaster Tools et demandez un réexamen de votre site si le messag « ce site risque d’endommager votre ordinateur » s’affiche dans les résultats de Google.
  4. Supprimer les derniers utilisateurs inscrits à votre blog si vous ne les connaissez pas.
  5. Empêcher la possibilité de créer des nouveaux utilisateurs (c’est, en général, inutile de toute façon, si vous trouvez un rédacteur, vous pouvez lui créer son compte et les simples lecteurs peuvent commenter sans se créer de compte chez vous).
  6. Chassez les éventuels autrres articles infesté en lançant cette recherche dans la base : SELECT * FROM wptuto_posts WHERE post_content like '%IFRAME%' ;
    (pour autant que vous ayiez installé WorPress en gardant le paramètre par défaut « wptuto_ » comme paramètre des tables).

Ces conseils sont tirés d’une discussion du support, cela m’est arrivé sur un site en WordPress 2.3.3 mais il se pourrait que cela soit aussi possible en 2.5. dans le doute, le 6° conseil est d’upgrader en 2.5 mais je crois que les idées idées 1 (virer xmlrpc.php) et 5 (empêcher l’inscription des nouveaux utilisateurs) sont à suivre dans tous les cas, si vous ne bloguez pas offline et si vous ne collectionez pas les inscriptions d’utilisateurs.

[Edit du 22/04/08] Merci à Cui et à Starkhay pour leurs excellents commentaires qui m’ont permis de mettre à jour cet article…

  • Pour une recherche rapide des IFRAME, un petit coup de SQL s’impose :

    Connectez vous à votre base (via PhpMyAdmin ou autre) et lancez sur la table wp-posts la requête suivante :
    SELECT * FROM wptuto_posts WHERE post_content like '%IFRAME%' ;

    Cela dit, la faille dans RPC a été décelée dans la 2.3 et a été rapidement patchée. Faut-il une fois de plus rappeler de mettre à jour ses logiciels (et WP2.5 apporte en ça cette amélioration importante de mettre nettement plus facilement à jour ses extensions, notamment, même si la fonction, encore un peu jeune, souffre de quelques défauts).

  • libretto dit :

    Merci, CUI pour ce compléments très utile. en parcourant le forum du support il m’avait semblé lire que quelqu’un avait eu le pb en 2.5

  • libretto dit :

    J’ajoute que ta requête est vraiment utile : je viens de trouver un 2° article infecté, comme il n’était pas sur la home, c’était assez difficile à repérer.

  • starkhay dit :

    Si vous avez modifié lors de l’installation de WordPress, le préfixe de vos tables (par défaut wp), il faut modifier dans la requête « wptuto_posts » en conséquence 😉 .
    D’ailleurs, changez ce préfixe est un élément de sécurité !!

  • Kenzo dit :

    Merci bcp pour le tuto 🙂

  • warpdesign dit :

    Ben il faut se mettre à jour, oui.. le problème c’est que c’est pas toujours facile, beaucoup de choses ayant changé… Et si en plus on a un peu personnalisé le truc, c’est encore pire.

    Je suis en 2.1, je viens de rencontrer le soucis… Et c’est galère: j’ai pas le temps de passer en une version supérieure…

  • lauragi dit :

    Just as boys like to build things, they also like to have a bedroom that reflects their personality. A great bedding for boys which just came out is Build a Bear « Sports League ». Even though we know this bedding can’t make a kid a major league sport’s star, we think it just might make them feel like one!
    This boys bedding set allows soccer, football, basketball, and baseball to come together beautifully in brilliantly bold colors. Among the sport icons you will find bear paws and bear faces that combine to make this Build a Bear bedding a true favorite. The reversible side is designed in a handsome coordinating vertical stripe pattern. The bright red, blue, orange and white colors will certainly match any Build a Bear team mate a boy might currently have or design in the future.

  • locandiera dit :

    The « Sports League » bedding for boys is available in twin or full/queen size. This kids bedding is made to be machine washable, making it very easy to care for. It is made of 100% microfiber hypoallergenic polyester which is great for those kids who suffer from allergies. One of the big advantages of this kids bedding is that is reversible, giving you more value for your dollar.
    This bedding for boys is so awesome! Make a boy’s dream bedroom come true. This bedding for boys is going to be all the rage! We already know how popular the Build a Bear Workshops are; this kids bedding will be just as popular. If you have a son, grandson, nephew or even a special neighbor friend, make sure you order yours soon! This Build a Bear « Sports League » kids bedding will be selling out fast.

  • Are you in need of a small lightweight torch for jewelry or other small items? Then the Smith Little Torch is your best solution. The Little Torch works exceptionally well for materials ranging from 3/16″ to especially small wires. This Tiny Torch welds, brazes, heats and solders most small projects and is equipped with 5 tips with more available.
    The Little Torch utilizes most pressurized fuel gas and the list includes: acetylene, propane’s, propylene’s, hydrogen’s, natural gas as well as mapp with oxygen. These gases may be purchased at a nearby welding supply store. Disposable cylinders can be purchased at most home improvement centers. Keep in mind that even though disposable cylinders are the most portable, they are also the most expensive per cubic foot.

  • When your inexpensive purchase shows its real nature, you will not feel proud! As mentioned earlier, counterfeit goods, or fakes, are made of cheap materials. So, be ready for them to reveal themselves as [short] time goes by… Paints scaling, zippers catching, crooked scaled hardware, fake designer name tags falling off, bottoms tearing, lost items between 2 ply fabrics, etc. When this happens, will you feel proud of the fact you « only paid 50$ for it »? The feeling of shame and disappointment will hunt you, hopefully enough so that next time, you think twice…

  • take-that dit :

    So PLEASE, Don’t close your eyes. There are millions of individuals, mothers, fathers, CHILDREN who will suffer… We can only get so far by ourselves, but together, we could change something… Next time you want a Signature Bag: save your money, savor the wait, be smart and when you do purchase it, You will Feel Awesome! YOU WILL LOVE IT and you’ll feel proud with reason! You will also have the pleasure of enjoying its fine company for a long long time because it is one Major characteristic of a genuine branded bag: it LASTS. It can even get better looking with time! « Seriously??! THAT should happen more often!!!! »

  • In the end, let’s not be unrealistic fools to believe everyone should only buy organic, handmade, fair trade goods… Barely anyone could afford such shopping habits!
    But being conscious about it and making better decisions about a couple of things is meaningful and can raise awareness in others. Especially within luxury brands which are one of the largest targets in the counterfeit goods… Just get in your head that every step counts towards better worldwide societies.

  • tusi dit :

    Have you ever thought that maybe you give some gifts like Voluspa Candles? There are many who asked themselves that very same question, then decided to do it. Comparatively few people ever take time to think it through very carefully. Many never try because they don’t fully understand where to start. Still other folks have too much inertia to get up and do something.

  • Few decades back, companies and organizations had strict dress codes for their employees. Only formal striped shirts, pants and blazers were allowed. Employees had to follow the dress code as it was compulsory. Since, employers give lots of importance to the comfort level and protection of their employees; they have adopted a different approach towards the dress code. Nowadays, factories and organizations allow their employees to wear t-shirts that are comfortable but do not look too formal. Are t-shirts actually considered as formal wear? Not all t-shirts that you wear at home can be worn for work. Cheap t-shirts are easily available for purchase as the colors and designs are huge.

  • Normally, wearing polo t-shirts is allowed by factories, companies and industries. When factories supply t-shirts for the employees to wear, they might choose their brand color as the t shirt color. The pleasing colors actually increase the self-esteem of the employees, driving them to be more efficient. While placing bulk order, most of the companies nowadays prefer to have the t-shirts customized with company logo or name. This way, employees feel at easy while working and they also look smart. For small companies or factories that cannot afford to spend lots of money on formal striped shirts, cheap t-shirts are the best option. When bulk orders are placed, t-shirts can be bought at a discount.

  • Cheap t-shirts imply buying at a discounted rate, without having to compromise on quality of the material. Where can you find such t-shirts? During special occasions such as Christmas and New Year, lots of stores sell t-shirts at a discounted price. Another option of buying cheap t-shirts is shopping online. Lots of online websites offer free ground shipping or attractive gifts on purchase. When you have access to the Internet, purchasing any number of t-shirts is no big deal, as all you have to do is select the number of t-shirts that you need. Being stationed in a single place, you can place an online order and the shipment will be delivered to you within few business days.

Réagissez à take-that