So. Yes, there’s a WordPress worm infecting loads of sites. I was prepared to nuke Ihnatko.com completely and rebuild it. “Prepared”? I was fully Resigned to it. As the Colonial Marine in “Aliens” so wisely noted: “Nuke it from orbit. It’s the only way to be sure.”
I backed up all of my databases two different ways…first from the WP console and then directly from phpMyAdmin. The latter is the entire DNA helix of the blog: every user, every post, every comment, etc. If you restore your blog using the original MySQL databases, bingo: the blog is back, just as it was before. But it’s possible that the worm put something nasty in any of those databases. When you Export your site via the WP console, it skips over the database file and exports information that can then be imported into a new database file; this is safer, though certain relationship elements can be lost. Or so I have come to understand.
I did the “close your eyes and commend your soul to God” bit. I FTP-ed to my server and trashed all of the existing WordPress software, leaving behind only my content directory and one existing script: wp-config.php. It’s kind of the keychain to the site databases, and the new WordPress installation needs it to unlock all of my data. I checked the file carefully to make sure that no additional code had been injected.
I downloaded the very latest WordPress and FTP-ed it into the directory. Then I opened the admin page for Ihnatko.com, clicked the button to upgrade the database, and Ihnatko.com was back up and running.
All of this is just the standard procedure for upgrading WordPress.
I’m trying to figure out if I’ve actually fixed the problem. I did a lot of poking around. Lots of folks are discussing this worm and the same two fixes keep coming up:
1) Repair the permalink problem simply by going into WP’s “Permalinks” setting page and manually changing it back to what it was. Done.
2) Remove the new admin account that the worm created. Tricky. The worm tries to cover its tracks, but there’s a way to uncover its invisible admin:
Fab. Trouble is…I looked and I’m the only admin on this WordPress system.
I can’t find it on the WordPress “Users” page. I can’t find even it using the trick described in the above URL.
“Okay, but that’s kind of the definition of ‘an invisible admin’, isn’t it?” I thought. So I looked directly in the databases. I even opened the MySQL databases as text files and ran a GREP or two. Nope. I can’t find any trace of any Admin-level users, apart from myself.
I did find two or three suspicious-looking Subscriber accounts out in plain sight. A couple from the .pl country domain and a couple of Gmail accountnames that had all clearly been created by a bot of some kind. I deleted any user that wasn’t obviously human.
But did they have anything to do with the worm? I have to guess that these were just the unrelated result of spambots, creating accounts so they could leave comments along the lines of “She wants to play a trombone, not a kazoo…free sample pack available.”
So here’s where I stand right now:
1) Ihnatko.com is now running WordPress 2.8.4. This code was running before WordPress opened and updated Ihnatko.com’s existing database and theme files, so even if there’s any nasty code in there…it’s dormant. The worm doesn’t work with the newest version of WordPress.
2) I’m convinced that I’m the only user with Admin privileges. I looked in the WordPress Users panel, I looked in the wp_usermeta and wp_users databases. Nothing.
3) I changed my Admin password, just on principle.
Have I fixed this?
I dunno. Maybe. My confidence level is somewhere around 88%. I’m not exactly an admin ninja where WordPress is concerned. Any positive statement I can make ends with the suffix “…as far as I know.” And my knowledge ends about thirty yards short of what a professional WordPress administrator knows.
But it’s enough that I’m willing to walk away from this problem. I don’t know if there’s any code inside my WordPress directory that shouldn’t be there, but I’m convinced that no harm will come to Ihnatko.com, nor to any other WordPress installation through my site.
I can’t be 100% sure unless I start off with an absolutely empty WordPress directory and build up from there, trusting absolutely no file or database that was in there before Friday. That seems like overkill. I feel as though I’ve either eradicated the worm or at least frozen it in carbonite. I know that Men And Women Who Are Smarter Than I — and they are legion — are working on this. I’m confident that in a week or so, there’ll be a definitive method of detecting and eradicating the code.
One thing about nuking a site from orbit…you can’t UN-nuke it later. Whereas the bombs never go stale and will work just as well next week as they would have today.
(Note: this information is for metaphoric use only. If your colony is indeed overrun by xenomorphic alien predators, the nukes are definitely your first and best option.)