To make matters worse there seem to be two – possibly unrelated – issues that webmasters experience. One is a malware attack that is spreading malware on hacked blogs while the other is making use of cloaking techniques to serve a different version of the blog to search engine spiders than to regular visitors and admins.

The cloaking hack appeared on radars in March when bloggers and hosters reported about compromised sites. Media Temple for instance stated on March 2nd that “a number of customer sites [..] have been compromised”.

They identified several patterns the attackers used, one of which placed random-string names in the document root of the blog.

But Media Temple hosted WordPress blogs were not the only ones hit by the attack. Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hoster specific.

Fast forward to April 6. Christopher Penn discovered that his blog had been compromised. He found out that the hack on his site injected a new option name into the wp_options table that was using encoded Javascript. The option name always started with rss_.

Deleting that name from the database table stopped the cloaking issues he was experiencing. The key did however appear again which suggested that his blog was still open for the attack.

The vulnerability itself has not been discovered yet. Chris suggested that it has either been the TimThumb plugin or an outdated version of Magpie that WordPress ships with. Both have not yet been confirmed to be the entry points.

There has been no response yet from the WordPress developers regarding this issue.

To make matters worse a second attack has hit WordPress blogs, this time to spread malware. It is not yet clear if the two attacks are related but it is likely that they are.

Frank Gruber posted information about that second attack on his blog which ironically seems to have been successfully compromised as well.

The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities.

The Trend Micro blog is sharing additional information about the virus that is being spread using this attack. The attack “leads into an infection chain that leads to various malware, including a rogue antivirus[..]“.

To sum it up:

• Several WordPress blogs running the latest official version are currently successfully compromised.
• Attackers either manipulate the blog to spread malware (more recently) or to cloak links that are only visible to search engines
• It is currently not clear how the attacks are carried out.
• Some pointers are given on how to disinfect a blog

WordPress webmasters should check their blogs immediately to make sure that it has not been compromised yet. A wordpress plugin like Antivirus might also help in preventing a successful attack.

According to Mashable there are two clues that your blog has been successfully attacked by the computer worm:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

Webmasters are asked to update their blogs to the latest version of WordPress immediately. Those that have been hit by the computer worm should backup all files, export their settings, and do a clean install of WordPress. More help is offered at the WordPress website.

Rant:

It’s Sunday and it is time for a little rant. Webmasters who do not update their blogs as soon as a new version of their blogging software is released are acting stupid. A WordPress update usually takes less than ten minutes and ensures that the blog and server is protected from attacks like these. Webmasters who do not have the time to perform these updates should consider switching to a hosted blogging platform like that at Blogger or WordPress.com. The automatic update option that has been introduced in recent WordPress versions makes it even easier to update the blog as soon as a new version is released. Webmasters who cannot do this should not operate a self hosted blog, period.

A fix was released with the announcement of the vulnerability which consisted of one line of code that had to be edited in the wp-login.php file of the WordPress installation. WordPress installations with the fix are safe from these kinds of attacks.

The WordPress team has nevertheless released WordPress 2.8.4. as a response to the security vulnerability. The new release patches this vulnerability and is a recommended update for every WordPress installation. The WordPress developers are providing additional information about the vulnerability in the announcement post as well.

It was only possible to reset a password of the first user account without a key according to this post which usually is the admin account of the WordPress installation. WordPress is not showing the new version in its interface. This may change in the next hours.

WordPress admins should head over to the WordPress website to download the new version as of now.

A new post appeared on the WordPress discussion list today revealing more details about the process. Everyone is apparently able to reset a WordPress password if the email address of the WordPress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password. The email address of the account holder has to be supplied in the form. WordPress usually will send a confirmation email first asking the email account owner if the password should be reset. The vulnerability manipulates the query to skip this step.

It is not possible to exploit this vulnerability further which means attackers cannot get access to the user account. It can however be theoretically be used to reset the password regularly to lock the user or admin out of the WordPress blog.

A temporary fix for the remote admin password reset vulnerability was posted. WordPress administrators need to change one line of code in the wp-login.php file of the WordPress installation to protect their blog from the attack.

Replace

if ( empty( $key ) )

With

if ( empty( $key ) || is_array( $key ) )

It is advised to apply the temporary fix as soon as possible to WordPress installations.