Incident Response, Network Security, TDR

Widespread attacks continue against WordPress sites

Intruders in recent weeks have hacked a large number of websites created through the WordPress blogging platform to spread malware, with another major campaign launched on Thursday, security researchers said. 

In addition to WordPress blogs, websites created with other PHP-based platforms, including the Zen Cart eCommerce solution, were affected by the attacks, Regina Smola, co-founder of WPSecurityLock, a provider of WordPress security services, told SCMagazineUS.com on Tuesday.

Attackers injected malicious JavaScript into the sites, causing visitors to be redirected to scareware domains that attempted to trick users into installing a virus, she said.

Tens of thousands of legitimate sites are believed to be affected.

When visiting one of the compromised sites, users of InternetExplorer or Chrome were redirected to the rogue AV, David Dede, lead security researcher at malware detection solutions provider Sucuri Security, told SCMagazineUS.com on Tuesday. Firefox users were not affected.

Having an up-to-date anti-virusprogram would block the scareware program from running, Smola said.

All PHP files on affected sites were modified, Dede said. The malicious JavaScript loaded rogue anti-virus malware from two domains in this case: indesignstudioinfo.com/ls.php and zettapetta.com/js.php.

“The pain to the users is that every single file got infected,” Dede said. “On a normal WordPress site, it is around 1,000 files to clean.”

The affected sites were hosted by a number of ISPs, including DreamHost, GoDaddy, Bluehost, Media temple and HostGator, the researchers said. Since all the hacked sites were utilizing shared web hosting providers, analysts did not have access to system logs and were not able to conduct a full forensic investigation.

As a result, experts are unsure how the sites were compromised. Attackers may have used stolen FTP or WordPress passwords, launched a brute-force attack against the passwords, or leveraged a vulnerability in either WordPress itself or a WordPress plug-in, Dede wrote in a blog post on Friday.

Todd Redfoot, CISO of GoDaddy, said in a statement sent to WPSecurityLock that the attack was targeting websites running outdated versions of WordPress and other online applications. However, a number of sites running the latest version of Wordpress also had been compromised, Dede said.

It does not appear that attackers took advantage of an unknown vulnerability in WordPress because, if so, the exploits would be more widespread, he added.

Smola said a brute-force attack against passwords is possible.

“I have found that 99 percent of the sites that we have seen and fixed had very weak passwords to both their FTP and their hosting accounts,” she said.

Others have speculated that the attack may have leveraged a zero-day vulnerability in phpMyAdmin, an open-source tool that allows users to interact with their MySQL databases, Dede said. But there is no evidence of this.

WPSecurityLock has posted instructions for removing the infection, and Sucuri Security has released scripts to automate the process.

This is just the latest wave of attacks against WordPress websites that have been ongoing for the past month, Smola said.

In a previous attack, launched earlier this month, more than 40,000 WordPress sites were affected, she said.

And in April, reports surfaced that some WordPress sites had been compromised to point users to malicious websites. In that case, the targeted sites appeared to be hosted by Network Solutions. WordPress creator Matt Mullenweg subsequently pinned the blame on improperly configured web servers, which he said are the responsibility of the hosting provider.

"WordPress, like all other web applications, must store database connection info in clear text," Mullenweg said. "Encrypting credentials doesn't matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?"

Network Solutions representatives disagreed.

"This issue is not isolated to Network Solutions, nor is it a Network Solutions server issue," a spokeswoman told SCMagazineUS.com in an email. "We're working with the experts in the WordPress community and understand it is an issue with a WordPress plug-in or theme and it is impacting a number of websites that are hosted on various hosting platforms."

The latest spate of WordPress attacks may be linked to recently compromised websites belonging to the U.S. Department of Treasury that were attempting to exploit client-side vulnerabilities to serve malware, independent analyst Dancho Danchev said in a blog post.

"The hosting company used by the [Treasury Department's] Bureau of Engraving and Printing had an intrusion, and as a result of that intrusion, numerous websites were affected," said a statement emailed to SCMagazineUS.com.

The Treasury Department did not name the hosting provider in the statement but researchers said it was Network Solutions.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.