A number of blogs using the popular WordPress platform have reportedly been targeted in the ongoing cyber offensive recently. The websites hosted by different providers have been affected; these include Bluehost, GoDaddy, DreamHost and Media Temple. Besides, some other management systems based on PHP have also been targeted by hackers (Zen Cart eCommerce, for example).
The targeted WordPress websites were infected with specific scripts that apart from installing malware on the systems also prevent Google Chrome and Firefox browsers (in one word – those using Safe Browsing API from Google) from sounding a warning if user tries to access the site. The way it works is when the search bot designed by Google meets an infected page, it responds by just returning the malicious code. This masking strategy uses the browser switch which is usually used by designers to return the specific code to meet the requirements of functional variations in various browsers, including Firefox and IE.
At the same time, Sucuri Security has published some simple clean-up solutions on their page to decontaminate the affected WordPress blogs. The advice include removing cgi-bin/php.ini from the blog via FTP, or uploading wordpress-fix.php script (can be downloaded from their official website, but the extension needs to be renamed from .txt to .php) to the blog via browser and running it. The script is said to clean the whole blog in couple minutes, deleting all the malware entries. Another solution for those having SSH access to their WordPress blog is to run
$ find ./ -name "*.php" -type f | \
xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1
$ find ./ -name "*.php" -type f | \
xargs sed -i '/./,$!d' 2>&1
right on the web root.
Sucuri Security believes WordPress can’t be blamed for the vulnerability, because it’s easy to understand that if the trouble was on WordPress, there would be much more infected blogs. The reasons for appearing infected are still not clear, but that can be a vulnerable plugin or stealing bunch of passwords from the websites. Moreover, all the targeted websites were located on shared hosts, but there was no one hosted on a private server. That means there isn’t anything specific to a hosting provider, as the only common thing for all is that they are located on shared servers.
Post Tags: blog hacked, blog security, hackers attack, wordpress hacked, wordpress security
