Mass infection of WordPress blogs at Network Solutions

Since yesterday we are seeing a large number of WordPress blogs (running the latest version 2.9.2) getting infected with malware. None of them are using the same plugins or the same themes. Some of them even have wp-admin access blocked to only a few IPs and via htpasswd password. The only similarity between them is that they are all shared hosts at Network Solutions.

Some of our clients spoke with Network Solutions and they confirmed that all their WordPress sites are having issues, but their servers are clean (are they?).

What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing is does is to modify your “siteurl” inside the “wp-option” table to point to http://networkads.net/grep/, breaking the site layout completely.

That’s how it looks like in the database:

(2, 0, ‘siteurl’, ‘‘, ‘yes’),

The only way for the database to be modified like that is via SQL injection or a bigger problem inside Network Solutions databases.

Anyone else having this issue? If you are, let us know about it.

*To fix this issue, just revert your siteurl back to the previous value. Log in to your control panel, go to manage database, and edit the siteurl value on the wp-option table.

**If you need help cleaning this up, send us an email dd@sucuri.net

Update 1: More Network solution users affected:

Same thing — some HTML inserted into the siteurl field in the wp_options table, and I can’t get to my login page. I hadn’t upgraded to 2.9.2 yet, and the site’s not using SimplePress forum. So it’s not just 2.9.2 that is affected, if that helps at all.

And here:

My site njnnetwork.com got hacked yesterday morning. After a series of non-productive tasks all day, Network Solutions admitted they have been hacked on many WordPress sites.

Here as well:

They changed my wp-options siteurl to be an iframe pointing to networkads.net/grep The site was not loading correctly so I was able to find this in phpmyadmin. I have had a rash of hacks lately and talked to Network Solutions (my host) They tell me all of their wordpress sites are getting banged up, but their servers are clean.

And many more at the WordPress forums.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • Emerson

    I can attest to this as well! I changed my siteURL yesterday and now its back to that iframe thing again!

  • Emerson

    Any chance it has something to do with this post?

    http://www.iampablo.com/archives/fixing-my-hacked-wordpress-database/

  • http://www.runningisfunny.com Mike

    I was hacked yesterday and while the fix you mentioned took care of the site layout, I still can't log-in to WordPress. No matter what I do on phpMyAdmin, the WP log-in page won't accept a password. I'm not an expert, but this seems to be a pretty sophisticated hack to me.

  • http://www.associatedtechs.com Rob

    Hi,

    I've got a client with a WP 2.9.2 site hosted at GoDaddy that's been infected twice now — different type of infection, but the infection doesn't appear to be coming through WP itself according to the site logs.

    Have you guys looked at the access logs for these sites? Can you confirm whether or not you're seeing possible SQL injections through WP itself, or does it actually appear to be a problem on the host's side?

  • http://www.chaseadamsphotography.com Chase Adams

    I've also run into this problem. I can't even access my MySQL database through the phpMyAdmin. I wonder if it's an issue with root installs? I did a manual root install because Network Solutions won't let you install a WP at the root…I'm SO irritated with this.

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Rob: We looked at the logs and didn't find anything suspicious… In one of the blogs, they didn't have any access between the time we fixed it and the time it got hacked again (yes, nothing on access.log — only our connections after the fact).

  • http://dustin-burke.com/ dustin-burke.com

    I too did some investigations to find the backdoor … posted on WordPress forum here – http://wordpress.org/support/topic/385477/page/2?replies=53#post-1471394

    Let me know if you (or heaven forbid, Network Solutions) find the cause. Thanks!

  • http://www.blogger.com/profile/02367812323043710058 Shashi Bellamkonda

    Hi Folks,

    I work for Network Solutions. Thanks for posting steps you took to help customers. We are montitoring and using feedback we receive on forums and blogs. Its not accurate to say that this affects only Network Solutions customers. it seems like there have been a spate of these attacks over the past few weeks.

    I did send an email to dd at sucuri.net to see if we could talk and compare notes and I am looking forward to a response.

    Shashi.b

  • http://www.runningisfunny.com Mike

    One of my blogs was definitely infected and still won't allow a WordPress log-in. But even worse, a reader of mine e-mailed me to say that he got a malware alert from my other WordPress blog on NetSol that shows no evidence of a hack and still allows me blog access.

    This suggests the problem may be even more widespread than we think, and that whatever the origins, it's definitely a NetSol problem right now.

  • Anonymous

    Sashi,

    thanks for joining the conversation over here. I understand you see a lot of hacks that more often than not they are these crazy slopping wpress installs and not an NS issue.

    Do you have any SQL audit trail tools you could humor us with and point at one of our "siteurl" records? At the very least it would help all of us good paying customers out.

    I would argue its in NS interest to at least help out when there is a rash of customers burning in flames.

    And note ironicaly that I pay for those "safe" services too lol.

    -dugbug

  • Anonymous

    yes siteurl in wp_options is the entry that is replaced; how are they writing this?

  • http://www.reginafried.com Regina

    Hi -

    Followed directions to restore my sites (2 down, 5 to go!). But that doesn't close the door — hope that someone figures it out soon as I don't want to have to repeat this again tomorrow. All sites were on Network Solutions (but not all my WordPress sites on Network Solutions were affected).

  • Emerson

    Great Shashi,

    If this isn't a problem specific to Network Solutions we'll know soon enough when you guys (or the WordPress community) find which code is letting this happen!

  • http://blog.berryllium.nl Berry Langerak

    Figured it might be nice to hear a different sound for once: the WordPress (2.9.2) site that I host, doesn't have any malicious site_url settings, so it might be limited to a cluster of wordpress installation.

  • http://www.runningisfunny.com Mike

    Got my site back. (How? Beats me.) Changed WP password, posted, everything seems OK. Already changed database password. Judging only on looks, everything appears fine. Will add extra protections, but will it help?

  • http://badwarebusters.org Cometcom1

    Curious to hear if anyone noticed the networkads.net domain change to other domain names? It seems to me that this is currently happening.

    Any other places that this has been found? – i.e. network solutions can't be the only place where this is happening.

  • http://www.blogger.com/profile/09029307736650009451 kurt

    I took a site that was hosted on Netsol and moved it to a new server 4/9. I cleaned everything I could find and restricted the permissions on htdocs. Today (4/10) it remains clean.

  • http://www.wpsecuritylock.com WPSecurityLock

    Do we know if WordPress was installed using Fantastico on the affected sites?

    Has anyone checked both the siteurl (ID 2) and home (ID38) inside the wp_options table?

    I suggest changing the database table prefix to help limit the hacker roadmap too.

    Hopefully the entry point will be found out soon.

    Thanks for keeping us updated!

    Regina Smola

  • Anonymous

    @WPSecurityLock: Sites where WordPress was installed manually were hacked too.

  • Anonymous

    Fyi.
    I had fixed the site url in the mysql db. Changed all sql/wp passwords.
    See topic. http://wordpress.org/support/topic/385477/page/4?replies=53

  • http://www.blogger.com/profile/01565126875294399118 Peter

    changing your passwords and siteUrl won't do u any good – the virus will strike back, it's a bug in wordpress…

    WE NEED SOLUTION from the guys from WordPress.org

  • Richard

    @ Peter

    http://blog.networksolutions.com/2010/wordpress-is-not-the-issue/

    "WordPress is not the issue.

    by Shashi Bellamkonda on April 14, 2010

    We wanted to respond to the debate and conversations about the recent incident affecting Network Solutions’ WordPress customers. Recently, our customers have complained about malicious code on certain of their blogs hosted by Network Solutions. This was not an issue with WordPress. Sorry to the WordPress community and customers for any misunderstanding. This issue resulted from a complex combination of factors and we own it. We have taken steps to address this issue and we continue to work to protect our customers. Also we wanted to let you know that no personal or sensitive financial information was taken as a result of this issue.

    We are learning from this experience. By the way, we like WordPress and continue to use it for a lot of Network Solutions properties such as this blog. Network Solutions customers that need any assistance feel free to email us at listen @ networksolutions.com"