Update 1: The attack continues! Now they are using the domain http://mainnetsoll.com/grep/. Make sure to fix your wp-config and change your database password ASAP.
Update 2: A quick fix if you can’t change your database password. Set the WP_SITEURL inside your wp-config. It will override the change in the database. Just add this line inside your file:
define(‘WP_SITEURL’, ‘yoursite.com’);
Update 3: If you are seeing attacks from a different domain, please let us know. If you need help, send us an email and we will try to help asap (use contact@sucuri.net ).
Yesterday we reported of a mass infection of WordPress blogs that were hosted at Network Solutions.
First of all, I must say that the response from Network Solutions was very good. They were active on the forums, responding to users via Twitter and really trying to find and fix the problem. They even send me an email just after my first post went live to get more information and share notes. That’s what I like to see from a hosting company.
Anyway, we discussed via the phone yesterday and after a long analysis they have nailed the cause of the problem. This is what happened:
- WordPress stores the database credentials in plain-text at the wp-config.php file.
- This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
- A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
- This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials
- Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became networkads.net/grep. Easy hack.
So, at the end anyone can be blamed. At WordPress for requiring that the database credentials be stored in clear-text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen.
I also have to agree with Network Solutions that this problem can happen at any shared host site. Not only for WordPress, but for any CMS out there that store the passwords in clear-text. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.
*To change the permissions via FTP, just run chmod 750 wp-config.php inside your blog directory.
**As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at dd@sucuri.net
As Frank above me says, the order of blame here is:
1) Network Solutions for having an insecure setup
Simple as. Sure, users should secure their files properly, but on a shared server you expect your files to all be secured from other shared server users, just as Network Solutions should have realised they were supposed to do this. It's fine to go blaming everyone else but yourself but it only goes to prove you're looking for a scape goat.
As a web developer, I can say I've worked on over 200 sites each of which store the main db password in plain text as is standard. And I can also say that they're all perfectly safe. Because they're not hosted with Network Solutions.
I don't think anyone knows the problem. Sites on GoDaddy and Network Solutions were hacked again last night. Some of them had been hardened against attacks with all known fixes after last week's hacks.
It is entirely Network Solutions fault.
They should secure the home directories of their users such that other users can not access them even if individual files within those home directories have global read access. Example:
drwxr-x— 95 mike apache 12288 2010-04-17 17:18 /home/mike
If user mike now creates a globally readable file in his home directory, user fred can't read it…
This is kids stuff…
Of course the above only works if they're using suexec/suphp or similar. If they're not doing that, their security is even more of a joke.
I have been hacked with malicious malware four times in the past two years. My host is Network Solutions. Last week my wordpress blog disappeared and this week my web site is gone. In 2009, Net work Solutions blamed my web developer for the lack of security and,the web developer blamed Network Solutions. My site has been under attack this time since December 09 and I have just paid a ton of money to a web tech guy to clean things up, now only three weeks later my site is gone from the web altogether. My ranking with Google is in the tank and my business is suffering. Who do you trust and how are these problems resolved?
How about posting an update? NetSol owned up. Your turn?
http://blog.networksolutions.com/2010/wordpress-is-not-the-issue/
"WordPress is not the issue.
by Shashi Bellamkonda on April 14, 2010
We wanted to respond to the debate and conversations about the recent incident affecting Network Solutions’ WordPress customers. Recently, our customers have complained about malicious code on certain of their blogs hosted by Network Solutions. This was not an issue with WordPress. Sorry to the WordPress community and customers for any misunderstanding. This issue resulted from a complex combination of factors and we own it. We have taken steps to address this issue and we continue to work to protect our customers. Also we wanted to let you know that no personal or sensitive financial information was taken as a result of this issue.
We are learning from this experience. By the way, we like WordPress and continue to use it for a lot of Network Solutions properties such as this blog. Network Solutions customers that need any assistance feel free to email us at listen @ networksolutions.com"
644 is standard, you only get 755 or 777 if you assign rights to it. That said, 755 shouldn't matter at all since the config file doesn't display anything to the browser.
They probably got root at networksolutions, or some SQL injection and did a grep for wordpress databases and injected their stuff.
^ So it shows you all fail at understanding Linux. So open a Linux textbook/manpage and read the part on Linux shell permissions.
I have just gone through all the files of a site that was hacked on NS.(I am a WP developer)
I changed the URL in the database back to the proper name as said here.
Also, I will mention that I found most all index.php files were corrupt. There is a line of xss attack(a script code injection) just after the php code.
So these files might also need to be changed for all of you to access admin properly.
index.php on:
root level/index.php
wp-admin/index.php
wp-content/index.php
wp-content/plugins/index.php
I would check any index.php file you have.
All of these contained the malicious code.
I hope this helps someone.
Pingback: WordPress Hack and Security Settings – flyingpenguin
As a word press user, I would recommend that the php file which stores all user name and passwords should not be made available to every wordpress user unless required by user itself.
Pingback: Wordpress Blogs Getting hacked! | Adult Webmaster Blog