The common denominator of the hack was that all affected websites were hosted on so called shared hosting servers. These servers host multiple websites by different users. Affected web hosting companies are Go Daddy, Bluehost, Media temple, Dreamhost and Network Solutions. It is likely that others are affected as well.

It is not clear yet how the hack was carried out. Current suggestions are either weak passwords or file access rights that allow the attacker to gain access.

We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.

How do you know if your website is affected?

All those sites had this javascript added to their pages:

http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php

Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).

The website WP Security Lock posted detection instructions as well.

Here’s some of Zettapetta’s behavior:
Your website is redirected to:http://www1.firesavez5.com/?p=p52dcWpkbmmHjsbIo216h3de0KCf…….. or
http://www1.firesavez6.com/?p=p52dcWpkbG6HjsbIo…
This redirect page is a blank page. The source code contains the following:

404 Not Found

The page that you have requested could not be found.
All of your .php files on your WordPress contain the following malicious code… Located in the source code near the bottom of all .php files is the following script: http://zettapetta.com/js.php and http://www.indesignstudioinfo.com/
Your antivirus program blocks the installation of the threat: www.firesavez5.com or a www.firesaver6.com installer.

Sucuri.net has posted instructions on how to remove the malicious code from WordPress.

Via SSH:

If you have SSH access to your server, run the following commands on your web root:

$ find ./ -name “*.php” -type f | \
xargs sed -i ‘s###g’ 2>&1
$ find ./ -name “*.php” -type f | \
xargs sed -i ‘/./,$!d’ 2>&1

Via web:

If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.

After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

Once you are done, go back to your site and remove this file.

Has your blog or website been affected by the hack? Let us know how you resolved the issue in the comments.

To make matters worse there seem to be two – possibly unrelated – issues that webmasters experience. One is a malware attack that is spreading malware on hacked blogs while the other is making use of cloaking techniques to serve a different version of the blog to search engine spiders than to regular visitors and admins.

The cloaking hack appeared on radars in March when bloggers and hosters reported about compromised sites. Media Temple for instance stated on March 2nd that “a number of customer sites [..] have been compromised”.

They identified several patterns the attackers used, one of which placed random-string names in the document root of the blog.

But Media Temple hosted WordPress blogs were not the only ones hit by the attack. Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hoster specific.

Fast forward to April 6. Christopher Penn discovered that his blog had been compromised. He found out that the hack on his site injected a new option name into the wp_options table that was using encoded Javascript. The option name always started with rss_.

Deleting that name from the database table stopped the cloaking issues he was experiencing. The key did however appear again which suggested that his blog was still open for the attack.

The vulnerability itself has not been discovered yet. Chris suggested that it has either been the TimThumb plugin or an outdated version of Magpie that WordPress ships with. Both have not yet been confirmed to be the entry points.

There has been no response yet from the WordPress developers regarding this issue.

To make matters worse a second attack has hit WordPress blogs, this time to spread malware. It is not yet clear if the two attacks are related but it is likely that they are.

Frank Gruber posted information about that second attack on his blog which ironically seems to have been successfully compromised as well.

The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities.

The Trend Micro blog is sharing additional information about the virus that is being spread using this attack. The attack “leads into an infection chain that leads to various malware, including a rogue antivirus[..]“.

To sum it up:

• Several WordPress blogs running the latest official version are currently successfully compromised.
• Attackers either manipulate the blog to spread malware (more recently) or to cloak links that are only visible to search engines
• It is currently not clear how the attacks are carried out.
• Some pointers are given on how to disinfect a blog

WordPress webmasters should check their blogs immediately to make sure that it has not been compromised yet. A wordpress plugin like Antivirus might also help in preventing a successful attack.

Another thing that is really annoying in WordPress 2.7 is the fact that you can either delete all comments on the page, selected comments or all spam comments at once. At 20 spam comments per page and thousands in total this can take a long time to flip through and delete.

The WordPress hack is actually quite easy to perform even for webmasters who have no knowledge whatsoever regarding html and php. The file that is responsible for the amount of comments that are displayed is called edit-comments.php. It can be found in the wp-admin folder. Make sure you backup that file before you apply the changes so that you can revert back if something should go wrong.

Locate the following line in the file, it should be around line 182 in the file:

$comments_per_page = apply_filters('comments_per_page', 20, $comment_status);

The only thing that you need to do is to change the figure 20 to another figure, e.g. 100 so that it looks like this:

$comments_per_page = apply_filters('comments_per_page', 100, $comment_status);

Just save the file again and check the display of the comments in the admin interface to make sure everything is working correctly.