WordPress Hack Terrifies Webmasters
Reports about a WordPress hack affecting self-hosted WordPress blogs have appeared on the Internet in March. The hack seems to affect WordPress 2.9.2, the latest version of the blogging platform, and maybe also older versions as well.
To make matters worse, there seem to be two - possibly unrelated - issues that webmasters experience.
One is a malware attack that is spreading malware on hacked blogs while the other is making use of cloaking techniques to serve a different version of the blog to search engine spiders than to regular visitors and admins.
The cloaking hack appeared on radars in March when bloggers and hosting providers mentioned compromised sites. Media Temple for instance stated on March 2nd that "a number of customer sites [..] have been compromised".
WordPress Hack
They identified several patterns the attackers used, one of which placed random-string names in the document root of the blog.
But Media Temple hosted WordPress blogs were not the only ones hit by the attack. Reports from webmasters hosted by Godaddy, Network Solutions or VPS.net indicated that the attack was not web hosting company specific.
Fast forward to April 6. Christopher Penn discovered that his blog had been compromised. He found out that the hack on his site injected a new option name into the wp_options table and used encoded JavaScript for obfuscation. The option name always started with rss_.
Deleting that name from the database table stopped the cloaking issues he was experiencing. The key did however appear again which suggested that his blog was still open for the attack, and that something was executing code on the site or server to add the database entries again.
The vulnerability itself has not been discovered yet. Chris suggested that it has either been the TimThumb plugin, or an outdated version of Magpie that WordPress ships with. Both have not yet been confirmed to be the entry points.
There has been no response yet from the WordPress developers regarding this issue.
To make matters worse, a second attack has hit WordPress blogs, this time to spread malware. It is not yet clear if the two attacks are related but it is likely that they are.
Frank Gruber posted information about that second attack on his blog which ironically seems to have been successfully compromised as well.
The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities.
The Trend Micro blog shares additional information about the virus that is being spread using this attack. The attack "leads into an infection chain that leads to various malware, including a rogue antivirus[..]".
To sum it up:
- Several WordPress blogs running the latest official version are currently successfully compromised.
- Attackers either manipulate the blog to spread malware (more recently) or to cloak links that are only visible to search engines
- It is currently not clear how the attacks are carried out.
- Some information are available on how to disinfect a blog
Update: Most recent versions of WordPress have resolved the issues. If you have not updated yet, it is highly suggested that you do so immediately.
WordPress webmasters should check their blogs immediately to make sure that it has not been compromised yet. A wordpress plugin like Antivirus might also help in preventing a successful attack.
Martin, did you hear anything good about Sophos’ UTM Firewall Home Edition? I would love to see your review on this one but I have no idea whether this can be run in VM so in case you have no spare machine to test it then this ain’t gonna happen I know.
Hm, my friend is having problems with major slowdowns on her computer from time to time. And incidentally I installed MS Essentials on her computer. This could be a problem.
I understand S E isn’t available for Win8/8.1 because microsoft thinks defender on 8 is strong enough to not need S E. how does defender compare with other security programs?
Not good as well.
Defender is MSE on Windows 8.
http://www.microsoft.com/security/pc-security/windows-defender.aspx
I am skeptical of AV test comparisons. The reasons for my skepticism are many. Perhaps the most meaningful one is that it is impossible to re-create real world experiences in a lab. IMPOSSIBLE!
I have used MSE for years. It is fine. Typically, other free AV products have a much heavier footprint on systems. They also have a more intrusive UX than MSE. They perform their AV function no better.
BTW, the reason you can’t install MSE in Windows 8/8.1 is because the version of Windows Defender that is incorporated into the OS includes MSE.
Is the percentage one select to be the amount of CPU which MSE is allowed, or which one wishes to reserve for other applications??
Obviously at 50% it doesn’t matter, does it, but in any other case, it does.
Yes please avoid MSE/Defender. Its filter driver causes a significant hit in CPU performance and disk I/O. I recommend using Avast or Avira’s free versions. Better protection, lighter on resources.
I was recently experiencing an extreme example of this problem – with a very high CPU usage to the point where I could hear my hard disk working very hard.
When I opened task manager and looked at the process list, I noticed that there was a file which was using abut 50% of the CPU:
MsMpEng.exeMsMpEng.exe
My first inclination was to just try and “end” the process, to see what happens – but I was denied and prevented from doing so.
So I then ran a Google search and found this link, which provided the explanation and solution:
http://techat-jack.blogspot.com/2012/09/solved-high-cpu-usage-of-microsoft.html
Open MSE – Click on Settengs and then, from the list on the left, choose “Excluded files and locations”
Browse to C:/Pprogram Files/Microsoft Security Client/MsMpEng.exe and add it to the list.
Click on Save Changes and close the program.
Apparently, MSE sees its own process as something which needs to be closely monitored — almost like a puppy dog trying to bite its own tail – and this adjustment relieves the issue.
As far as I can tell – and from the explanation on the link above – this configuration does not interfere with the proper functioning of MSE – because if it did, the configuration would fail – just like it did when I tried ending the process in Task Manager.
It’s been a few weeks now, and I have not experienced that constant high CPU usage associated with MSE — while at the same time, I have noticed it happening on occasion when the process was being called normally.
Give it a try – and I would be very interested to hear what Martin thinks about this.
Happy New Year to All
Yes, I had a client with the same issue – Security Essentials chasing its own tail. It caused a major CPU spike on her system.
I assume that the reason they do this is to protect the program from itself being compromised by malware, which does happen to AV programs occasionally.
Given that most of the major AV programs are doing poorly at detecting new malware, using a weak detector like Security Essentials is a bad idea. “Real world” results are likely to be worse than any AV test.
My comment was marked as spam? Seriously? Because I edited it?
WordPress is strange, at times.