

Mass infection of Wordpress blogs at Network Solutions - sucuri2
http://blog.sucuri.net/2010/04/mass-infection-of-wordpress-blogs-at.html

======
thaumaturgy
OK, this is an interesting one.

One of my clients with an up-to-date, fully patched version of Wordpress, with
correct permissions on all necessary files, and nothing too funky in wp-admin
or wp-content/plugins, has had their site infected twice.

It's a different infection from the one in the article, but it was the same
<script>...</script> code each time.

The interesting thing is that the infection didn't do anything to the site
logs, and while I can see plenty of _failed_ attempts to break Wordpress in
the logs, after hours of examination I can't find any _successful_ attempts to
break Wordpress in the logs.

The client has multiple WP sites, but this is the only one they've had trouble
with. It's also the only one hosted with GoDaddy.

So, either: there's a 0-day Wordpress exploit in the wild that can somehow
compromise a site without showing up as a suspicious GET or POST in the site
logs, or, somehow, hosts are being compromised and sites are being infected
through their host. At the moment, I'm kinda leaning towards the latter.

~~~
sucuri2
Hey,

Thanks for the update. I had access to the logs and we didn't see any
suspicious GET or POST at all. In fact, on the first one I looked I saw a post
to simple forums, so I thought that would be the problem.

But after that, we saw a bunch of blogs without simple forums and even without
any GET request at the time of the hack.

So my assumption is that it can only be though a problem with those shared
hosts...

------
cheald
From Network Solutions via the Wordpress forums
([http://wordpress.org/support/topic/385477/page/2?replies=53#...](http://wordpress.org/support/topic/385477/page/2?replies=53#post-1471448)):

> "From what we can determine at this time, the changes look like they were
> made by a user with admin credentials to your WordPress blog. This could be
> an issue with the WordPress installation or a WordPress plugins on the site.
> This is not an issue on our web hosting servers"

So, there's a possibility that it's a yet-unknown zero-day in the wild, and
the attacker is just targeting blogs at NetworkSolutions at the moment.

------
ajtaylor
I really, really want to use Wordpress as a bloging platform, but the constant
hacks / security issues have given me a lot of pause. Can anyone recommend an
alternative, hopefully one with a bit better track record?

~~~
aphyr
A friend of mine maintains Thoth, a lightweight blog engine written with Ruby.
It's a quality piece of work.

<http://wiki.github.com/rgrove/thoth/>

If you're interested in photoblogging or a heftier multi-contributor model,
I've written Cortex Reaver for that. UMMV, though. :)

<http://github.com/aphyr/cortex-reaver>

------
eagleal
Media Temple Grid service also reported a similar attack, where several DB
passwords where leaked, and systems were infected. They reported that all the
sites were running Wordpress.

[http://weblog.mediatemple.net/weblog/2010/03/02/1167-gs-
atta...](http://weblog.mediatemple.net/weblog/2010/03/02/1167-gs-attacked/)

------
liamk
I can confirm this, my dad's wordpress blog, hosted on network solutions, as
also been compromised.

~~~
sucuri2
I heard from at least 50 different people hosting there that got hacked. All
the same stuff... All running wordpress 2.9 and updated.

------
mcantor
The huge ad on the left side of the blog overlaps the blog post itself, making
it illegible to me on Chrome 4.0.

------
ck2
Check for xmlrpc.php access in the logs.

~~~
thaumaturgy
In my case: I did spot some suspicious activity to that file in the first case
of infection, but based on subsequent activity from the same IPs, it didn't
appear to be a successful attack. In the second case of infection, there is no
suspicious activity on that file. (Just some crawlers.)

But, this isn't quite the same infection as is being reported on Network
Solutions, so I dunno what those logs look like. I don't have any clients on
NetSol.

------
ddemchuk
Just came into the office this morning to find that I had to clean up a
client's site on Wordpress on Network Solutions. Always a pleasant surprise
when they fight to keep their site on the servers they've always used (for
their site they hadn't updated in over 6 years) and then they get hacked :-)

Anyone notice low performance on Wordpress on Net Sol?

