Update 2: Simple clean up solution: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
Update 1: Note that we are not blaming WordPress here. I am assuming that if the problem was on WordPress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server.
We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.
So, it doesn’t look like something specific to a hosting company. The only thing in similar is that all of them are on shared servers.
Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).
You can get more information about the encoded string here (and the final decoded code):
One thing very interesting that is becoming a trend is that the malware is also hiding from Google. This causes the site to do not get blacklisted, making it harder for the owner to notice.
How are they getting hacked? We have no clue yet… We can only restrict to a few issues:
- Stolen FTP/WP password
- Bug on WordPress
- Bug on some WordPress plugin
- Brute force attack against the passwords
Send us more information if you know something.
The guys from WP security lock did a good thread on the issue. You can read here
As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at firstname.lastname@example.org.