Update: It is not a “mass” attack as we described. Sorry about that. A good number of sites were affected (we don’t have a clear number yet), but nothing massive or crazy as our post sounded.
If you follow our blog, you probably noticed that these last few months have been specially hard for hosting companies. Lots of them got hacked, bringing down thousands of sites with them. Now we are hearing reports of a mass hack of WordPress blogs hosted on Rackspace.
What is going on?
The attackers were able to get access to Rackspace databases and infect the sites through there. They created a new admin user on many Worpress sites, giving them full access to the WordPress admin panel.
With that access they were able to inject malware, and as we saw before they used that to inject SEO spam to the sites.
What are the symptoms?
The first symptom that is easy to spot is new and malicious javascript files or spam on your site. Our scanner would detect them properly:
The second sympton is a new user “amin” on WordPress and some backdoors spread through the system.
This is not a new attack and we have fixed sites infected by that for more than a month. However, just now we are putting the dots together that all of them were on Rackspace.
Our friends from Unmask Parasites and Smackdown posted more details about the attack:
http://blog.unmaskparasites.com/..attack-on-wordpress-blogs-on-rackspace/
http://smackdown.blogsblogsblogs.com/../rackspace-hacked-clients-..-in-wp_options-table/
Note that the issues described in there do not happen on all the cases. If you have more information, let us know.
If your site is hacked (or contains malware) and you need help, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.
Pingback: Tweets that mention Mass attack of Wordpress blogs on Rackspace | Sucuri Security -- Topsy.com
I’m assuming it was RS’s shared hosting, correct?
-Josh
@anapologetos – no, Cloud Hosting.
Cloud Sites (which is their shared hosting) got hit too.
My recent post I’m totally signing up for Final Fantasy XIV beta
I got hit as well. 5 of my WP sites (which are all using Sucuri) got hit with this 'amin' attack. I must have caught the attack before anything malicious was done as none of my files were modified (thus not tripping the Securi alarm). I found multiple rows in the DB with base64 garbage in them and lots of unknown users in the users table. I also found some malicious PHP files within the plugins folder.
And yes….ALL of my affected websites were hosted on Rackspace Cloud.
Pingback: 0-day wordpress vulnerability results in many Media Temple malware infections
Pingback: Managing Hacked Client WordPress Sites: Prevention, Reaction and Investigation – Chris LeCompte
Pingback: Fanatical Support? What fanatical support…Rackspace sucks! | Julian Sula's Blog