New Exploit In WordPress

A friend noted that he was experiencing weird behavior when he surfed my site. Whenever he clicked a link on my site, provided he’d visited FriendFeed previously, he would randomly be redirected to anyresult.net. This is apparently a new exploit of WordPress that has arisen in the past week or so. I’m running WordPress 2.5.0.

The exploit is simple – it registers itself as an active plugin in your WordPress installation. To disguise itself slightly, the PHP code for this plugin is held in an image file. A quick look in the wp_option database should allow you to identify a plugin you don’t recognize. To do this:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Find the active plugins registered in WordPress: select option_value from wp_options where option_name='active_plugins';
  3. Look for a plugin you don’t recognize: You should probably be able to figure out which plugins are which, based on their names – look for a plugin which is an image file.

For example, in my case an active plugin had been registered that was held in an image file called “rtl_old.jpg”. The result of looking at the active_plugins entry in wp_options:

a:10:{i:0;s:50:”../../backup/wp-content/themes/classic/rtl_old.jpg”;
i:1;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:2;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:3;s:17:”add-meta-tags.php”;i:4;s:19:”akismet/akismet.php”;
i:5;s:37:”batch-categories/batch-categories.php”;
i:6;s:41:”calais-auto-tagger/calais_auto_tagger.php”;
i:7;s:21:”no-flash-uploader.php”;
i:8;s:50:”wp-calais-archive-tagger/calais_archive_tagger.php”;
i:9;s:18:”wp-contactform.php”;}

Clever eh? I’m not clear on the mechanics by which this plugin is hidden from the Plugins panel of the WordPress, but nevertheless, the result is that you won’t be able to remove this malicious plugin from the WordPress admin panel. To remove the plugin, you’ll have to manually update the active_plugins entry for option_value.

You’ll need to craft a new value for option_value. Note that the entry encodes the data as an array of sorts (I’m not a big PHP guy, so I don’t know if this is standard practice or not). The “a:” entry specifies the length of the array, and the “i:” entry for each plugin specifies its location in the array. To remove the malicious plugin, I altered my option_value to the following:

a:9:{i:0;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:1;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:2;s:17:”add-meta-tags.php”;
i:3;s:19:”akismet/akismet.php”;
i:4;s:37:”batch-categories/batch-categories.php”;
i:5;s:41:”calais-auto-tagger/calais_auto_tagger.php”;
i:6;s:21:”no-flash-uploader.php”;
i:7;s:50:”wp-calais-archive-tagger/calais_archive_tagger.php”;
i:8;s:18:”wp-contactform.php”;}

To effect the necessary change in MySQL:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Update the option_value entry: UPDATE wp_options SET option_value = '<new value for option_value>' WHERE option_name='active_plugins';

I’m curious about the content of the rtl_old.jpg file, but that can be dissected later. For now, these instructions should get you back on track and remove the malicious plugin.

Canadian Government Wants to Search Your Laptop

This appeared in today’s Province: New documents have been leaked showing the Canadian federal government is secretly negotiating an agreement to turn border guards and other public security personnel into copyright police. They would be charged with checking laptops, iPods and even cellphones for content that “infringes” on copyright laws, such as ripped-off CDs and movies. The guards would determine what infringes copyright.

This is being done under the Anti-Counterfeiting Trade Agreement – interestingly, federal trade agreements do not require parliamentary approval.

Seriously – are you kidding me? Just how, exactly, is this going to work?

“Sir, do you have your iTunes receipt for this copy of “In Da Club”? No? Then I suspect it’s illegal. Thanks for the free laptop!”

When border guards are incapable of recognizing that a MacBook Air is a real computer (the TSA was stumped by this for a while until they issued new guidance), how can we expect them to correctly judge what is or isn’t “infringing”?

Now that I think about it, why stop here? Why not also have them check everyone for “stolen” articles?

“Sir, do you have your receipt for the pair of Gap jeans you’re wearing? No? I think you stole them. Thanks for the free pants! Now, about that underwear…”

This smacks of bureaucracy that doesn’t actually solve a real problem – but it’s nothing new. A few years ago, the Canadian Copyright Board added a tax to blank media to remunerate artists for lost revenue due to “private copying”. As of 2007, the tax had generated over $100M using this tax – portions of this levy applied to iPod-type devices were struck down, echoing a similar finding in 2004.

We need to see a little public outrage over this.