ATTN: Mass Wordpress Hack

5 replies
A client of mine contacted me recently.
His GoDaddy-hosted Wordpress was redirecting users to malware.

An attack had compromised every .php file on his server and injected a snippet at the top which would forcefully redirect or display a pop-up of a malware site which would immediately attempt to compromise the victims computer.

GoDaddy has blamed outdated Wordpress installations as the cause of the hack but the same attack has been encountered on several other platforms, besides Wordpress. The attack has hit other hosting providers as well, not just GoDaddy.

Please check your Wordpress installations make sure everything is running normally. Any sudden changes in search engine ranking, affiliate commissions, etc should be looked into. Google will remove known malware sites from search rankings as far as I can remember.

  • Update your Wordpress installations!
  • Use strong passwords
  • Use strong database passwords
  • DO NOT USE 777 for permissions on your server.
KK. Just wanted to spread the word.
Peace
#attn #hack #mass #wordpress
  • Profile picture of the author Nonny
    Is it this?


    Sucuri Security: Found code used to inject the malware at GoDaddy
    Sucuri Security: Last week attacks - Some comments and updates

    If so, it apparently has nothing to do with Wordpress.

    (Although it's a good idea to check your site's permissions and have strong passwords.)
    {{ DiscussionBoard.errors[2106710].message }}
    • Profile picture of the author ericmartinez
      Yup, that is the one.

      IMO, it was a semi-intelligent attack.
      Rather than compromising and defacing all of the sites they used PHP to generate the Javascript code. But by doing this, they damaged a lot of PHP files which made it very obvious. 355 files outside of my client's Wordpress had to be cleaned.

      Why I still suggest caution

      This attack is probably still 0-day.
      Meaning, that the vulnerability and exploit used to attack is still private.
      But the underground world moves quickly and exploits are sold in black hat forums. A relatively trivial modification to this code would be to search for sensitive files like wp-config.php and send them to the attacker. This would give them database access on top of already having filesystem access.

      Not to mention that this still does not seem to be fixed.
      You can still face:
      • delivering malware to your visitors
      • dropping in SERPs
      • not being able to access your wp-admin
      • php files / saleletters / etc being compromised
      {{ DiscussionBoard.errors[2106761].message }}
  • Profile picture of the author psresearch
    Thanks, a friend of mine has a blog hosted on GoDaddy and had mentioned something like this. It sounds like the exact same thing.
    {{ DiscussionBoard.errors[2106778].message }}
  • Profile picture of the author HeySal
    I've dealt with this sort of thing a few times now. They are like cockroaches to get rid of.
    Signature

    Sal
    When the Roads and Paths end, learn to guide yourself through the wilderness
    Beyond the Path

    {{ DiscussionBoard.errors[2107228].message }}
  • I had to delete and rebuild 3 of my WP blogs hosted with them last week! That was the exact same thing that happened to my sites.
    {{ DiscussionBoard.errors[2107249].message }}

Trending Topics