Update 1: The attack continues! Now they are using the domain http://mainnetsoll.com/grep/. Make sure to fix your wp-config and change your database password ASAP.
Update 2: A quick fix if you can’t change your database password. Set the WP_SITEURL inside your wp-config. It will override the change in the database. Just add this line inside your file:
Update 3: If you are seeing attacks from a different domain, please let us know. If you need help, send us an email and we will try to help asap (use email@example.com ).
Yesterday we reported of a mass infection of WordPress blogs that were hosted at Network Solutions.
First of all, I must say that the response from Network Solutions was very good. They were active on the forums, responding to users via Twitter and really trying to find and fix the problem. They even send me an email just after my first post went live to get more information and share notes. That’s what I like to see from a hosting company.
Anyway, we discussed via the phone yesterday and after a long analysis they have nailed the cause of the problem. This is what happened:
- WordPress stores the database credentials in plain-text at the wp-config.php file.
- This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
- A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
- This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials
- Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became networkads.net/grep. Easy hack.
So, at the end anyone can be blamed. At WordPress for requiring that the database credentials be stored in clear-text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen.
I also have to agree with Network Solutions that this problem can happen at any shared host site. Not only for WordPress, but for any CMS out there that store the passwords in clear-text. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.
*To change the permissions via FTP, just run chmod 750 wp-config.php inside your blog directory.
**As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at firstname.lastname@example.org