westi on wordpress

the long forgotten diary of a wordpress developer

WordPresz

It seems there has been an attempt recently to distribute a trojaned version of WordPress via some form of phishing scam.  It seems this attack relied on exploiting an old version of WordPress which had not been upgraded and changing it to point at a different site for one of the dashboard feeds.  The site was then offering a trojaned install of a version of WordPress 2.6.4 which does not exist.  The site has now been shutdown so it is nolonger possible to get hold of this Trojaned version but it does highlight the importance of upgrading when a security release is made.

As I have said in my response in the article on The Register

We recommend that people upgrade as soon as possible when we release a security release so as to ensure they are not vulnerable to issues which will likely have exploits in the wild. Also in the upcoming 2.7 release of WordPress we are including a built-in upgrade mechanism within WordPress which will allow people to upgrade automatically with ease.

I would however stress the need with any piece of software to check that an upgrade is real by visiting the website of the software provider manually rather than relying on a link that you have been provided. Otherwise, as with bank phishing scams there is the potential for someone to trick you into doing something you didn’t want to do.

Written by Peter Westwood

November 6, 2008 at 5:50 pm

Posted in wordpress

Tagged with ,

« WordPress in your language
WordPress 2.6.5 in detail »

47 Responses

Subscribe to comments with RSS.

  1. [...] Peter Westwood – WordPresz [...]

    Warning: Fake WordPress Malicious Site « Lorelle on WordPress

    November 8, 2008 at 7:16 am

  2. Thanks for the heads up Peter.

    I’m worried that there could be a day when any site has to have Extended Validation on it for laymen to trust it. The scammers, phishers and black hats are potentially doing more harm to the internets than those who want to dump net-neutrality.

    It’s a war, really :(

    clopinettes

    November 8, 2008 at 12:15 pm

  3. Upgrading to most recent versions is always recommended. I have a POST on my BLOG on wordpress security, these steps light help you secure your BLOG.

    http://coolwebdeveloper.com/2008/10/wordpress-blog-security-tips-hacks-and-plugins/

    coolwebdeveloper.com

    November 8, 2008 at 7:22 pm

  4. [...] that we have skipping version 2.6.4 and jumped from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the [...]

    WordPress 2.6.5 in detail « westi on wordpress

    November 25, 2008 at 5:45 pm

  5. [...] versión salta de 2.6.3 a 2.6.5 para evitar la confusión del fake 2.6.4 release que era una versión modificada del original, una versión no oficial que incluía agujeros de [...]

    Wordpress 2.6.5 actualización de seguridad | Jorge Oyhenard

    November 25, 2008 at 8:49 pm

  6. [...] there was no official 2.6.4 release. There was an attempt to fool people into downloading a fake release under that number, so it has been skipped in the official release numbering, to avoid [...]

    WordPress 2.6.5 Released | geek ramblings

    November 25, 2008 at 8:58 pm

  7. [...] 2.6.4 non verrà mai distribuita in modo tale da non generare della confusione con una falsa versione 2.6.4 di WordPress disponibile online. WordPress convey_url = document.location.href; convey_source [...]

    WordPress 2.6.5: nuova release per la serie 2.6

    November 25, 2008 at 8:58 pm

  8. [...] And for the record, 2.6.5 is the version that follows 2.6.3: there is no 2.6.4, as that was the number attached to a fake release which was doing the rounds a couple of weeks back. [...]

    WordPress 2.6.5 released | Blog Mum

    November 25, 2008 at 9:36 pm

  9. [...] non esiste, la precedente a quella appena rilasciata è la 2.6.3. È stato deciso di saltare la 2.6.4 per non creare confusione con una versione falsa di WP che include un trojan al suo interno, [...]

    BlogMaster - Aggiornamento di sicurezza WordPress 2.6.5

    November 25, 2008 at 9:43 pm

  10. [...] that we have skipping version 2.6.4 and jumped from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the [...]

    WordPress 2.6.5 has been released! | hieudt's blog

    November 26, 2008 at 1:39 am

  11. [...] know check out this post by Peter Westwood one of the Lead Developers of WordPress titled WordPresz [It seems there has been an attempt recently to distribute a trojaned version of WordPress via some [...]

    Wordpress 2.6.5 is not fake atleast … « Hobby Press

    November 26, 2008 at 6:27 am

  12. [...] 2.6.4 non verrà mai distribuita in modo tale da non generare della confusione con una falsa versione 2.6.4 di WordPress disponibile [...]

    WordPress 2.6.5

    November 26, 2008 at 4:03 pm

  13. [...] is a fake version and you should avoid it.You can get details informations from The Register & Westi’s blog [...]

    WordPress 2.6.5 Available & Security Alerts « Tech Idea

    November 27, 2008 at 1:27 pm

  14. [...] WordPress.com avisa de un fallo de seguridad en WordPress 2.6.3 y recomienda la actualizacion a la nueva 2.6.5. Se han saltado la version por el caso Wordprez. [...]

    Wordpress 2.6.5, actualizacion de seguridad | Tecnolink Informatica

    November 27, 2008 at 4:43 pm

  15. [...] es el caso del WordPress 2.6.5, se saltaron la versión de WordPress 2.6.4 por aquello del WordPress falso (Wordpresz) cuya versión era esa [...]

    Web de León » Actualización a WordPress 2.6.5

    November 27, 2008 at 5:38 pm

  16. But why could something like this not happen with the automatic upgrade?

    I Prefer to get it manually from the wordpress.org site.

    behe

    November 28, 2008 at 10:39 pm

  17. @behe: Yes this kind of attack could take advantage of the core upgrade stuff that is coming in 2.7.

    That is why I would always recommend that you check on WordPress.org for the existence of the update before you clicked update in your admin panel.

    Peter Westwood

    November 29, 2008 at 12:58 pm

  18. [...] a 2.6.5 after the 2.6.3 release…?? To make sure that you are not getting confused with a FAKE 2.6.4 release – which contains a [...]

    WordPress; 2.6.5 released

    November 29, 2008 at 7:39 pm

  19. [...] que ir con cuidado hasta de WordPress 2.6.4 (que, por cierto, no existe y el que lo haya instalado que sepa que ha caído en las garras de un [...]

    ¿Estás seguro? » Innova Desarrollos informáticos

    December 6, 2008 at 8:35 am

  20. [...] du kan lese av denne bloggposten og denne bloggposten, så kan litt kjedelige ting skje hvis du ikke følger med i [...]

    Falsk WordPress : Digital Hverdag

    January 2, 2009 at 12:55 pm

  21. [...] Westi reported another attempt to backdoor WordPress installation/upgrade packages. I can see more fake backdoored WordPress archives and attackers trying to exploit the new EASY upgrade feature. I can foresee a spoofing or DNS poisoning type attacks. [...]

    BlogSecurity » Blog Archive » WordPress Security Predictions in 2009

    January 15, 2009 at 10:36 am

  22. [...] WordPress.com avisa de un fallo de seguridad en WordPress 2.6.3 y recomienda la actualizacion a la nueva 2.6.5. Se han saltado la version por el caso Wordprez. [...]

    Wordpress 2.6.5, actualizacion de seguridad | aNieto2K

    January 26, 2009 at 6:45 pm

« Older Comments

Comments are closed.