Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Botnet

WordPress Hacks Behind Surging Neutrino EK Traffic 51

msm1267 writes: More than 2,000 websites running WordPress have been compromised and are responsible for a surge this week in traffic from the Neutrino Exploit Kit. Attacks against sites running older versions of the content management system, 4.2 and earlier, were spotted by Zscaler. Those sites are backdoored and redirect a victim's browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits. The exploits generally target Internet Explorer, Zscaler said, and victims' computers are eventually infected with CryptoWall 3.0 ransomware. This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.
This discussion has been archived. No new comments can be posted.

WordPress Hacks Behind Surging Neutrino EK Traffic

Comments Filter:
  • by mwvdlee ( 775178 ) on Saturday August 22, 2015 @02:17AM (#50368621) Homepage

    WordPress is a security problem

    I know I'm going to catch flak for this.

    WordPress and all of it's plugins and themes are a huge target for hackers and reliably available online.
    The main problem is that users don't regularly update, or rather that they can't in many cases.
    That is, assuming the plugins are updated for security holes at all.

    I wouldn't be surprised if hackers had databases of the exact versions, plugins and themes of millions of WordPress installations.
    Just wait for a new public disclosure, replicate the exploit and attack the matching sites in your database.
    They could have hundreds of freshly hacked WP sites every week.
    These sites may only stay hacked for a few days or weeks, but it's simple economics.

    • They don't bother with such databases, they just query every site they can reach with a wordpress hack attempt whether it has a wordpress on it or not. After unsuccessfully attacking a few million sites, they gain a few thousand new hacked sites.

    • by John Bokma ( 834313 ) on Saturday August 22, 2015 @03:11AM (#50368755) Homepage

      4.2 is considered older in the summary. According to Wikipedia: "4.2 (Powell) 23 April 2015". I doubt many people update each and every time.

      By the way, I just don't get:

      mysql> GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname" IDENTIFIED BY "password";

      WordPress is not the only software to do this. And MySQL does support multiple users, each with different rights. I don't get it why a visitor of a website accesses indirectly the database with rights to drop all tables, modify all tables ...

      • by Zedrick ( 764028 )
        > I doubt many people update each and every time.

        They don't have to, Wordpress updates itself by default. Most Wordpress-sites are hacked through plugins like Revslider (lots of people are still running that old version from early 2014) - usually pirated premium plugins (or themes).
        • https://threatpost.com/wordpre... [threatpost.com]

          The vulnerability affected the core WordPress engine in versions 4.2 and earlier, a rarity among the constant parade of serious security issues affecting plugins for the content management platform. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed

          Ugh...

        • My base install does NOT auto-update automatically. It notifies me via email. As Wordpress is presented as a GUI-driven system, modifying config files by hand in a text editor to get auto-update working is a negative for qualifying as "default". Installing a plug-in to get auto-update working isn't considered "default" either. I've looked through the GUI and see no mention of enabling auto-updates, nor see any references to this being "by default".
    • by Dracos ( 107777 )

      Yes, WP is a security problem, but the problem isn't the end users, or even the site owners. It's the general low quality of development skill that the WP ecosystem thrives on. The WP codebase is laughable crap, but makes it easy for entry-level, self-described developers to get something done, although without understanding the ramifications of the sloppy way they did it. They learn such sloppiness from the WP core itself, plugins, or the plethora of half-assed tutorials written by people who have only

      • And your suggestion for an alternative is what? Drupal? Sharepoint? I don't know of any other free content management systems with Wordpress's functionality...but that's not my area of expertise anyway. I've only ran Wordpress and Drupal as my hobby CMS, and at work we only use Sharepoint. I'm open to suggestions though!
        • by Dracos ( 107777 )

          Drupal is just as free as WP, so is Cake, CodeIgniter, Laravel, and dozens of others. WP brings less to the table than any of those, but it does bring being an easy target.

          • Wordpress is simple enough to understand by computer illiterate people which is why it is pushed to the "my first blog" crowd. Unfortunately dumbing down the design is part of what makes it such a convenient target. The dozens of others do not offer a CMS for someone who doesn't know what CMS stands for.

    • This is exactly what I came to say. If you are running Word Press, start a contingency plan now, because you are going to be hacked.
    • You CANNOT upgrade Wordpress every time there's a change. Doing so breaks your plugins, and these are not often updated. A Wordpress site with no plugins is a weak piece of garbage.

      It took me a long time to realize that Wordpress isn't actually a software package like other software packages. It's meant to be a framework upon which you do your own coding. If you just care about a website and screw the coding, like most WP users, then you're shit-out-of-luck.

    • I moved to Nikola [getnikola.com]. It's a static site generator written in python.

      All of my posts / pages are written in markdown or restructured text.

      It's easy to integrate with github pages.

      It's static.

      • by mwvdlee ( 775178 )

        And, sadly, it's impossible to use for somebody barely technical enough to order an overpriced preinstalled WordPress site from a hosting provider.

        • GitHub pages is near idiot proof, even with your own domain.

          • by Anonymous Coward

            GitHub pages is near idiot proof, even with your own domain.

            Challenge accepted!

  • ... then Wordpress is a Menger Sponge.
  • "Those sites are backdoored and redirect a victim’s browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits."

    But can only be successfully exploited on Microsoft windows ..
    • But can only be successfully exploited on Microsoft windows ..

      Oh, only on the world's most popular desktop operating system? No worries then.

  • WordPress as a platform targets the easy-to-use market and thus has a lot of site admins who are not savvy IT people. The auto-update system built into WordPress addressed a large part of the security problem, namely people who don't actively update their software.

    One glaring shortcoming to the WordPress development model is that they don't keep a set of stable releases. The WP core group wants you to stay on the most recent head version to be secure. In practice they have patched previous releases going

    • It is about time that the WordPress foundation recognize that they are no longer a small time blog package. They need to introduce long term supported releases for the stability of their platform.

      Why? What's wrong with updating? Basic users aren't using internal APIs, so they don't have a problem if they update a module.

    • "defining constants in wp-config.php, or adding filters using a Plugin. " is NOT considered a GUI-based "default". As far as I can tell, there is no area inside the GUI to enable this, without installing a plugin. That too shouldn't be considered "default". It needs to be in the core GUI, right on the Dashboard "Enable auto updating?" and enabled by default on all deployments. Forcing users to edit a php file on a server isn't a good policy, nor is requiring a plug in. All major operating systems and so
  • I've done a massive amount of deployments with various PHP based web-CMSes, mostly Joomla and Wordpress. And while they're all built on ancient hacks of incredibly crappy architecture and application models, the type that lets you stand back in awe and amazement vis-a-vis the utter shittyness of each of these webapp-hodgepodge behemoths, I like WordPress the best, because at least I don't feel dirty when building a quick hack with it *and* I actually *can* build a quick hack with it.. Unlike, for instance,

  • OK, so I've got a WordPress site, how can I test to see is this crud is on my site, even though I'm on 4.3?
  • The Wordpress hate here is hilarious. So much obvious anger. Get over yourselves. All of the hate for Wordpress can be compared to ruling in favor of same sex marriages. All of the right wing nut jobs are screaming about how it affects them and how it's so bad, as if someone were going to force them in to a same sex marriage. No one is forcing anyone to use Wordpress either - it's easy and opens operating a web site to a very large number of people. That is a wonderful thing, not a bad thing. If you

A complex system that works is invariably found to have evolved from a simple system that works.

Working...