New attack today against WordPress

Update 2: Simple clean up solution: https://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Update 1: Note that we are not blaming WordPress here. I am assuming that if the problem was on WordPress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server.

We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.

So, it doesn’t look like something specific to a hosting company. The only thing in similar is that all of them are on shared servers.

All those sites had this javascript added to their pages:

http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php

Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).

You can get more information about the encoded string here (and the final decoded code):
http://sucuri.net/malware/entry/MW:MROBH:1

One thing very interesting that is becoming a trend is that the malware is also hiding from Google. This causes the site to do not get blacklisted, making it harder for the owner to notice.

People are talking on the forums already:
http://wordpress.org/support/topic/396524
http://www.webhostingtalk.com/showthread.p..
http://collabtive.o-dyn.de/forum/view..

How are they getting hacked? We have no clue yet… We can only restrict to a few issues:

  1. Stolen FTP/WP password
  2. Bug on WordPress
  3. Bug on some WordPress plugin
  4. Brute force attack against the passwords

Send us more information if you know something.

The guys from WP security lock did a good thread on the issue. You can read here

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

62 comments
  1. Not sure if this is why…but MediaTemple did a big DB pword autoreset on everyone a couple days ago. It WAS planned but maybe they had this vulnerability in mind when they did.

  2. I've seen so many of these small websites get hacked that I'm starting to doubt that WordPress is at fault, it's something in the shared hostings' configuration.

    WordPress is a bit hacky and has some bad code though so it certainly possible that they're at fault, but until I know more I can't say with any certainty.

  3. Many hosts use something called Fantastico, which is a script that people use to install their wordpress blogs in the first place. Likely that this is the source of the problem.

  4. I recently came across a dreamhost user who had two separate domains, both with WP installed, and both were hacked with the same script. The websites were unrelated beyond the fact that they were installed on the same dreamhost user. This seems like a pretty strange coincidence to me.

  5. I spotted this on a couple of wordpress blogs this morning then started avoiding them šŸ™ A lot of malware seems to be targeting wordpress recently šŸ™

  6. Can't get into my NS File Manager though my own Account Manager.

    I get . . .

    Error
    Invalid UserID and Password!

  7. Not just wordpress. I have a joomla site that was just hacked! Hosted on godaddy.

  8. Just to follow up with the last post. I have zero wordpress sites on the previously mentioned godaddy account. I just found out that both my joomla site and phpld site were hacked. It is shared hosting.
    James

  9. Hi, I have hosting with Dreamhost, and one of my sites that is written in php, but not WordPress, also has this script injected in the footer, however only in index.php. This definitely is not just a WordPress thing, maybe it's a php thing…

  10. I checked several php pages and they were all infected. It was the smaller of the two sites so I decided to wipe it and start fresh. Will get a dedicated ip though. My joomla sites on bluehost that had a dedicated ip were not affected.

  11. This is only affecting PHP scripts in shared hosting, and it seems to reach past WordPress.

    Can anybody post some details of the apps they are running on the affected servers (Name, Version, Installation procedure (tarball, auto-install script, etc.))

  12. Maybe it's a cloud security breach on linux. There was a major vulnerability last summer with the kernel. That was fairly serious if you ask me.

    Hopefully someone will come forward and take responsibility instead of the "it's the hosts" fault, or "it's wordpress problem", or it's a "php problem", or it's an "Iranian cyber terrorist problem", or it's everybodies problem except my own.

    DIY and Open Source software is dead… Long live the brand name!

  13. Sorry… I didn't mean to sound like I was some sort of authority on open source software.

    I just think that anything that can knock out more than just a few different websites on a few different hosts is fundamentally a much larger problem.

    This is a really good video… I am not a linux or cloud hosting expert. But this guy is.

    http://www.youtube.com/watch?v=L2SED6sewRw

  14. The issue is not just WordPress, but any PHP. Our old manual PHP site was also infected with this BS. Too bad whois searches for the owner comes up blank.

  15. My main gripe with WP is they don't take security seriously enough anymore. Things have changed. The cybercriminals are ahead of the game and winning. WP needs to start providing "security updates and patches." It's that simple. Just like Firefox and SMF and others do.

    You can't just say "we're safe!" when your whole community is getting pounded by guided missile's and your end users are dropping like flies.

    The real reality as of this moment though is it's everyone's problem. If we would stop seeing everything as a competition we might start making some real progress.

    The whole U.S. cybergrid is being threatened and we better get it together and stop being passive about it.

  16. This is probably one of those attacks where a trojan on a webmaster's computer is reading and forwarding FTP accounts, logs in from a different computer with the FTP account and changes the files.

    Changing the FTP passwords or rights doesn't have much use, unless you detect and remove the trojan on the FTP client computers first (or only use sFTP ofcourse, where passwords are encrypted)

  17. most infections i came across at customer sites relate to stolen credentials (ie. ftp accounts). usually they found a virus infection on their computers later or even prior but did not change their passwords. that those guys infected php files (but some hacks like the one having an iframe with "/grep" in the url will also go for html files), its just because its available at nearly every host in the net, so it makes a perfect target.

  18. Furthermore, some of these trojans also are capable of sniffing out FTP credentials on network-traffic, so a clean webmaster's computer is sometimes not enough….

  19. One of our client sites, on GoDaddy, running Joomla 1.5.15 is also affected. We installed and uninstalled WordPress on this shared hosting account before, and their current site uses Joomla.

  20. It's definitely not JUST Fantastico. One of my client's sites was hacked & I installed it manually. Bookmarked your script to use for the next client to fall (hopefully none). Fortunately, we had good backups.

  21. This is completely circumstantial — but I've been hit by this hack 3 times in the last 2 years. Each time an IFRAME is inserted into the page — the first two times the hack infected *every* single html/php file on my server (private hosting on SliceHost, 16-character passwords, SSH-access only with shared/private key, no other admins besides myself) — the 3rd time the hack only infected a few key php files like page.php and one of my template files.

    I kept search on "WordPress IFRAME injection" and while I didn't find a direct answer — everything was very inconclusive and confusing — I did notice a *trend* of conversations between WordPress and Joomla folks around "TinyMCE" and server-side JavaScript execution possibly being an issue.

    I have no idea how valid this is or how that would even work, but the first thing I did was lock down every account that was higher than "subscriber" in my WordPress install and so far so good…

    I don't know if that means it was TinyMCE, but I do know that I've been hacked the same way from 3 separate "start from scratch because I just got hacked" installs of WordPress ranging from 2.5 to 2.9.1 over the last few years — different hosts (RimuHosting, AWS and Slicehost), different sets of passwords for everything — pretty much all the variables changed each time EXCEPT the user accounts that had "author" access (and subsequently could cause TinyMCE to load) and TinyMCE itself inside the WordPress install.

    I've also always used the "TinyMCE Advanced" plugin to expose more of the TMCE features, maybe that enables some portion of TinyMCE that is allowing this to happen?

    Anyway — just wanted to share my information incase it helps anyone else.

    Good luck out there!

  22. getCookie("pma_visited_theme1");

    Seems to indicate it's a PhpMyAdmin attack.

    -Sasha.

  23. For what it's worth, here are some unsuccessful access attempts against obviously related to the current attacks:

    access_log.1:95.211.132.79 – – [03/May/2010:19:29:19 -0700] "GET /administrator/index.php HTTP/1.1" 404 191
    access_log.1:95.211.132.79 – – [03/May/2010:19:29:20 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 404 195
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:20 -0700] "GET /site/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.79 – – [03/May/2010:19:29:21 -0700] "GET /cms/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.78 – – [03/May/2010:19:29:21 -0700] "GET /content/administrator/index.php HTTP/1.1" 404 195
    access_log.1:95.211.132.70 – – [03/May/2010:19:29:21 -0700] "GET /home/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.70 – – [03/May/2010:19:29:22 -0700] "GET /main/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:22 -0700] "GET /portal/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.79 – – [03/May/2010:19:29:22 -0700] "GET /web/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.79 – – [03/May/2010:19:29:22 -0700] "GET /v1/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.70 – – [03/May/2010:19:29:23 -0700] "GET /v2/administrator/index.php HTTP/1.1" 404 192
    access_log.1:95.211.132.78 – – [03/May/2010:19:29:23 -0700] "GET /j/administrator/index.php HTTP/1.1" 404 192
    access_log.1:95.211.132.79 – – [03/May/2010:19:29:23 -0700] "GET /en/administrator/index.php HTTP/1.1" 404 192
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:24 -0700] "GET /joom/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.70 – – [03/May/2010:19:29:24 -0700] "GET /Joomla/administrator/index.php HTTP/1.1" 404 195
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:24 -0700] "GET /joomla1.5/administrator/index.php HTTP/1.1" 404 198
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:25 -0700] "GET /joomla15/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:25 -0700] "GET /joomla2/administrator/index.php HTTP/1.1" 404 196
    access_log.1:95.211.132.79 – – [03/May/2010:19:29:25 -0700] "GET /joomla1/administrator/index.php HTTP/1.1" 404 196
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:25 -0700] "GET /Site/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.78 – – [03/May/2010:19:29:26 -0700] "GET /site_old/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.75 – – [03/May/2010:19:29:26 -0700] "GET /Site_old/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.79 – – [03/May/2010:19:29:26 -0700] "GET /cms_old/administrator/index.php HTTP/1.1" 404 197
    access_log.1:95.211.132.78 – – [03/May/2010:19:29:27 -0700] "GET /joomla_old/administrator/index.php HTTP/1.1" 404 199
    access_log.1:95.211.132.78 – – [03/May/2010:19:29:27 -0700] "GET /CMS/administrator/index.php HTTP/1.1" 404 193
    access_log.1:95.211.132.70 – – [03/May/2010:19:29:27 -0700] "GET /test/administrator/index.php HTTP/1.1" 404 194
    access_log.1:95.211.132.76 – – [03/May/2010:19:29:28 -0700] "GET /backup/administrator/index.php HTTP/1.1" 404 196
    access_log.3:95.211.132.70 – – [20/Apr/2010:08:58:44 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 404 195
    access_log.4:95.211.132.70 – – [15/Apr/2010:10:48:10 -0700] "GET /get_orders_list.php HTTP/1.1" 404 189

  24. Here's another snippet where he's trying different Client strings in an effort to figure out why my machines have been successful in automatically thwarting his new attacks…
    Where you see a 200 indicating success, he's only successful in having his IP address banned, so he moves on the the next IP – Hmm, even Googlebot gets banned he notices…

    other-access_log.2:95.211.132.75 – – [27/Apr/2010:07:43:04 -0700] "GET /v1/administrator/index.php HTTP/1.1" 404 3380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"
    other-access_log.2:95.211.132.70 – – [27/Apr/2010:07:43:05 -0700] "GET /v2/administrator/index.php HTTP/1.1" 404 3380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"
    other-access_log.2:95.211.132.78 – – [29/Apr/2010:07:20:31 -0700] "GET /administrator/index.php HTTP/1.1" 404 3181 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    other-access_log.2:95.211.132.70 – – [29/Apr/2010:07:20:33 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 200 20 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    other-access_log.2:95.211.132.78 – – [29/Apr/2010:07:20:44 -0700] "GET /cms/administrator/index.php HTTP/1.1" 404 3181 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    other-access_log.3:95.211.132.69 – – [24/Apr/2010:11:51:42 -0700] "GET /administrator/index.php HTTP/1.1" 404 3380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"
    other-access_log.3:95.211.132.74 – – [24/Apr/2010:11:51:44 -0700] "GET /joomla/administrator/index.php HTTP/1.1" 200 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 4.3 (build 01218))"

    … if he's reading – I'll give you a hint dumbass, I've set up apache's regex to screen all incoming url's for software I DON'T have installed and instantly ban that IP address because you're obviously up to no good.

    Where would I get a list of software I DON'T have installed in the first place? Apache error logs. They were once full of probes just like this for non-existent URLs, that is until I set up my auto-blacklist. Just make sure the list doesn't contain a valid URL on your server or else you'll ban legitimate users.
    Other than that, it works really well.

    Here's another Tip: Set up Apache's authentication controls around the admin directory or at least the login script if you can.

    -catbutt

  25. Hello,,,,,:) šŸ™‚

    For us the described "BEHAVIOR" at a visitor site browser is "after the visit and any infection".

    So, we did a lot of Internet searching for a description of how to identify and fix infected visitors of these type web pages and were not successful. And, we apologize if a link exists at SUCURI. Any link or description would be great! šŸ™‚ šŸ™‚

    (i.e.)For WINDOWS if an infection has occured:

    What the infection does to the visitor
    Any visually identifiable symptoms
    cookies
    files
    registry entries
    msconfig entries
    etc.

    THANKS for your time, help, and advice!!!!! šŸ™‚ šŸ™‚

    Jerry

  26. This has nothing to do with WordPress. I saw a video of how the hack is occurring. Basically any shared hosting service is totally vulnerable due to the way PHP runs as the same user for all accounts.

    With a program called goonshell you can see and hack all accounts on bluehost or godaddy. All you have to do is get the file upload.
    http://bbs.progenic.com/Topic11483-32-1.aspx

  27. Dear David,

    Could you please investigate and/or confirm what this previous commenter just said?

    I got hacked for the third time today and am certain I've taken every precaution several times over – but it all won't matter a hill of beans if "with a program called goonshell someone can see and hack all accounts on bluehost or godaddy"!

    Thank you!

  28. my Joomla sites were also attacked, but beside them, same thing happened on my testing site with osCommerce, ZenCart and WordPress (same site, just different folders) that was on same Bluehost account as Joomla sites. Interesting thing is, that none of my .php (outside of Joomla, WordPress…) file weren't infected.
    In root of each site I found .php file that was inserting base64_decode line in other .php files, but they had different names (nom.php, weynn.php, att_ins.php…).

    To fix it, I downloaded my sites and used Find&Replace; in Dreamweaver to remove eval(base64_decode("aWYoZnV…fQ==")) and then re-uploaded site again.

  29. This fix added whitespace at the top of every PHP file. Breaking most if not all scripts on my website. I'd greatly enjoy another script to go through and delete all the whitespace before

  30. Simsarmy if you have a large site this script will hang up and not finish. That is what it did on my site. Comment out the line that start with "$rmcode = `find $dir -name "*.php" -type f…." by typing // in front of the line. You should have something that looks like …

    //$rmcode = `find $dir -name "*.php" -type f….

    Save and run this script again. That will remove the extra line from the top of the php pages.

  31. Hosted with Media Temple. They just did an entire DB password reset for customers using shared servers. My WordPress is fine.

  32. Probably just a coincidence but I added my site to seolinkvine.com and the very next day it gets hacked.

  33. Could most of you BE any more stupid? Sites/servers with WP get hacked on numerous different hosting servers…and yet someone how it's the HOST'S problem?

    Wise up and open your eyes.

  34. Okay, if read this far, it's probably about time to get sensational…

    http://www.bing.com/search?q=wordpress+"hacked+by"

    That's 24 Million results.

    I know Goog shows less, and it's probably because it cleans up faster, rather than anything to do with a duplicate content filter.

    http://www.google.com/search?hl=en&q;=wordpress+%22hacked+by%22

    That's 24 Million reasons not to assume that wordpress or joomla or open source software is a miracle solution which has no downside.

  35. Hello can somebody help me ? I have found this blog topic in google about wordpress security and i would like to know what is happened with my website:
    Thanks to the error below(with some referrer from China) I have my WordPress website once a day or 2 days down – 505 internal server error. To make my website run again I always need to delete .htaccess file . (btw.The way how to make my website run again(to delete .htaccess file) told me bluehost operator .)

    Can anybody help me to explain what is wrong , has my website been hacked or what those errors means? What am i supposed to do now? I'm sure that foreign URLS is something that in my errors shouldn't be (I have about 30 same errors in one minute , always almost the same from this chinese forum:

    [Sun May 23 03:40:59 2010] [error] [client 213.5.70.184] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/pdo_mysql.so' – /usr/local/lib/php/extensions/no-debug-non-zts-20060613/pdo_mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0, referer: hxxxp://forum.vipearn.c0m/thread-10523-1-1.html

    http i have changed hxxxp and com to c0m to not spam here

    Can anybody help me to explain how to eliminate this problem? Unfortunately im not PHP – Apache expert at all ,
    I would be very happy if anybody can respond , Daniel

  36. Hello Guys,

    I am also a victim.My suggestion is that if you are using any plugins like javascript and CSS optimizer then remove it. It's and RFI attack.Hope you all be happy with this.The attacker first distribute free program (open source) which working fine but he puts a security hole init for later use.He win the faith from us and then attack.

  37. I was going to post some great info here, but the limitations set in commenting has totally turned me off and pissed me off so If anyone wants a permanent solution to being hacked just Google "bulletproof security plugin".

    1. My apologies for your dislike of our commenting system. If you have recommendations, please leave some constructive feedback, we're always interested in improving our reader experience.

      Dre

      1. Hi,
        Sorry to got so irate there, but I had just finished typing about 30 minutes worth of info and went to submit the post and I got the pop up that I had gone over the maximum allowed character limitation so I kept skimming the content down and in a totally amateur move I did not write the post on my end locally and then copy and paste the info here. Yeah I know rookie mistake. šŸ˜‰ Anyway the posting window had finally had enough of me and decided to crash. So all the content was lost. My mistake for not working from a local copy. Did a knee jerk spaz moment of anger there. Sorry about that. šŸ˜‰
        Thanks,
        Ed
        My recent post BulletProof Security WordPress Plugin – BulletProof htaccess Security

  38. It seems 123-reg have become victim to this some 6 months on. Other 123-reg php based scripts have also been hacked in ths way.

Comments are closed.

You May Also Like