• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Attack of WordPress blogs on Rackspace

June 15, 2010David Dede

60
SHARES
FacebookTwitterSubscribe

Update: It is not a “mass” attack as we described. Sorry about that. A good number of sites were affected (we don’t have a clear number yet), but nothing massive or crazy as our post sounded.

If you follow our blog, you probably noticed that these last few months have been specially hard for hosting companies. Lots of them got hacked, bringing down thousands of sites with them. Now we are hearing reports of a mass hack of WordPress blogs hosted on Rackspace.

What is going on?

The attackers were able to get access to Rackspace databases and infect the sites through there. They created a new admin user on many Worpress sites, giving them full access to the WordPress admin panel.

With that access they were able to inject malware, and as we saw before they used that to inject SEO spam to the sites.

What are the symptoms?

The first symptom that is easy to spot is new and malicious javascript files or spam on your site. Our scanner would detect them properly:

Rackspace scan

The second sympton is a new user “amin” on WordPress and some backdoors spread through the system.

This is not a new attack and we have fixed sites infected by that for more than a month. However, just now we are putting the dots together that all of them were on Rackspace.

Our friends from Unmask Parasites and Smackdown posted more details about the attack:
http://blog.unmaskparasites.com/..attack-on-wordpress-blogs-on-rackspace/
http://smackdown.blogsblogsblogs.com/../rackspace-hacked-clients-..-in-wp_options-table/

Note that the issues described in there do not happen on all the cases. If you have more information, let us know.

If your site is hacked (or contains malware) and you need help, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

60
SHARES
FacebookTwitterSubscribe

Categories: Web Pros, Website Malware Infections, Website SecurityTags: Hacked Websites, SEO Spam

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. anapologetos

    June 15, 2010

    I’m assuming it was RS’s shared hosting, correct?

    -Josh

  2. Michael VanDeMar

    June 15, 2010

    @anapologetos – no, Cloud Hosting.

  3. Kevin

    June 15, 2010

    Cloud Sites (which is their shared hosting) got hit too.
    My recent post I’m totally signing up for Final Fantasy XIV beta

  4. Scott

    June 16, 2010

    I got hit as well. 5 of my WP sites (which are all using Sucuri) got hit with this 'amin' attack. I must have caught the attack before anything malicious was done as none of my files were modified (thus not tripping the Securi alarm). I found multiple rows in the DB with base64 garbage in them and lots of unknown users in the users table. I also found some malicious PHP files within the plugins folder.

    And yes….ALL of my affected websites were hosted on Rackspace Cloud.

  5. Emergencey Response

    April 3, 2011

    Best website, i’m keen on it!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

How to Add Security to Customer Websites Email Course

Referral Program Guide

Website Security for your Customers

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.