WordPress Hacks Behind Surging Neutrino EK Traffic 51
msm1267 writes: More than 2,000 websites running WordPress have been compromised and are responsible for a surge this week in traffic from the Neutrino Exploit Kit. Attacks against sites running older versions of the content management system, 4.2 and earlier, were spotted by Zscaler. Those sites are backdoored and redirect a victim's browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits. The exploits generally target Internet Explorer, Zscaler said, and victims' computers are eventually infected with CryptoWall 3.0 ransomware. This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.
Re: (Score:3)
You only need this if you use WordPress on a public website ofcourse...
Make sure to have an uptodate WordPress install. That means that the current major version of 4.3 is okay, but also the minor security update of 4.2.4 (which is an update for 4.2), or even 3.7.10 (which is an update for 3.7).
Any major version before 3.7 is not supported and a security risk.
About plugins, only use plugins that are maintained, and use the latest version from the author.
If you use plugins that haven't had an update in a yea
Re: (Score:2)
Re: (Score:2)
If that is the question, then it's just the same as any other hacked website or ad network.
Re: (Score:3)
Can anyone here please share with us in what way we can protect ourselves from being infected with those malwares/ransomwares?
The summary notes that the criminals use a Flash exploit and target Internet Explorer. So, a good guess would be to uninstall Flash and stop using Internet Explorer. If that is too grand a step, you could go for a Flash block addon for your browser, so you get to choose if Flash is allowed to run.
WordPress is a security problem (Score:5, Insightful)
WordPress is a security problem
I know I'm going to catch flak for this.
WordPress and all of it's plugins and themes are a huge target for hackers and reliably available online.
The main problem is that users don't regularly update, or rather that they can't in many cases.
That is, assuming the plugins are updated for security holes at all.
I wouldn't be surprised if hackers had databases of the exact versions, plugins and themes of millions of WordPress installations.
Just wait for a new public disclosure, replicate the exploit and attack the matching sites in your database.
They could have hundreds of freshly hacked WP sites every week.
These sites may only stay hacked for a few days or weeks, but it's simple economics.
Re: (Score:3)
They don't bother with such databases, they just query every site they can reach with a wordpress hack attempt whether it has a wordpress on it or not. After unsuccessfully attacking a few million sites, they gain a few thousand new hacked sites.
Re:WordPress is a security problem (Score:4, Insightful)
4.2 is considered older in the summary. According to Wikipedia: "4.2 (Powell) 23 April 2015". I doubt many people update each and every time.
By the way, I just don't get:
mysql> GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname" IDENTIFIED BY "password";
WordPress is not the only software to do this. And MySQL does support multiple users, each with different rights. I don't get it why a visitor of a website accesses indirectly the database with rights to drop all tables, modify all tables ...
Re: (Score:2)
They don't have to, Wordpress updates itself by default. Most Wordpress-sites are hacked through plugins like Revslider (lots of people are still running that old version from early 2014) - usually pirated premium plugins (or themes).
Re: (Score:2)
Ugh...
Re: (Score:2)
Re: (Score:2)
I got an email from it saying it had updated to 4.2.4, but that 4.3 was also now available.
So it seems minor updates get auto-updated, but not major updates. Which is fair enough... but I don't know how long older releases get security patches fo
Re: (Score:1)
Yes, WP is a security problem, but the problem isn't the end users, or even the site owners. It's the general low quality of development skill that the WP ecosystem thrives on. The WP codebase is laughable crap, but makes it easy for entry-level, self-described developers to get something done, although without understanding the ramifications of the sloppy way they did it. They learn such sloppiness from the WP core itself, plugins, or the plethora of half-assed tutorials written by people who have only
Re: (Score:2)
Re: (Score:2)
Drupal is just as free as WP, so is Cake, CodeIgniter, Laravel, and dozens of others. WP brings less to the table than any of those, but it does bring being an easy target.
Re: (Score:2)
Wordpress is simple enough to understand by computer illiterate people which is why it is pushed to the "my first blog" crowd. Unfortunately dumbing down the design is part of what makes it such a convenient target. The dozens of others do not offer a CMS for someone who doesn't know what CMS stands for.
Re: (Score:2)
That's victim blaming.
You're right, you shouldn't have to update. Use an old version! Don't conform! Don't let the man tell you what to do!
I'm not going to blame the victim, but if you don't update, you're still going to get hacked.
Re: (Score:2)
But "Mwvdlee" called it "the main problem" that users don't update their software
That's true, the main problem was using Wordpress in the first place.
Re: (Score:3)
This why the Internet Of Things people keep talking about is going to be so awesome ! ;-)
Lot's of products are failing and it's going to get a whole lot worse soon:
https://www.youtube.com/watch?... [youtube.com]
Cars are my 'favorite' topic right now:
http://www.wired.com/2015/07/g... [wired.com]
http://www.wired.com/2015/07/h... [wired.com]
http://www.bbc.com/news/techno... [bbc.com]
https://www.youtube.com/watch?... [youtube.com]
etc.
They were already warned about the problems in 2011, there was a talk at Usenix conference about it:
https://www.youtube.com/watch?... [youtube.com]
They di
Re: (Score:2)
The main problem is that users don't regularly update
That's victim blaming.
If you volunteer to become a victim, you deserve to share the blame when you are. It doesn't mean we should let people off for what they do, it does mean that someone should explain where you went wrong to you.
Re: (Score:2)
Re: (Score:2)
You CANNOT upgrade Wordpress every time there's a change. Doing so breaks your plugins, and these are not often updated. A Wordpress site with no plugins is a weak piece of garbage.
It took me a long time to realize that Wordpress isn't actually a software package like other software packages. It's meant to be a framework upon which you do your own coding. If you just care about a website and screw the coding, like most WP users, then you're shit-out-of-luck.
Re: (Score:2)
I moved to Nikola [getnikola.com]. It's a static site generator written in python.
All of my posts / pages are written in markdown or restructured text.
It's easy to integrate with github pages.
It's static.
Re: (Score:2)
And, sadly, it's impossible to use for somebody barely technical enough to order an overpriced preinstalled WordPress site from a hosting provider.
Re: (Score:2)
GitHub pages is near idiot proof, even with your own domain.
Re: (Score:1)
GitHub pages is near idiot proof, even with your own domain.
Challenge accepted!
If PHP is a fractal of bad design ... (Score:2)
WordPress Flash exploit .. (Score:2)
But can only be successfully exploited on Microsoft windows
Re: (Score:2)
Re: (Score:2)
But can only be successfully exploited on Microsoft windows ..
Oh, only on the world's most popular desktop operating system? No worries then.
WP Foundation Development Model Adds to Problem (Score:2)
WordPress as a platform targets the easy-to-use market and thus has a lot of site admins who are not savvy IT people. The auto-update system built into WordPress addressed a large part of the security problem, namely people who don't actively update their software.
One glaring shortcoming to the WordPress development model is that they don't keep a set of stable releases. The WP core group wants you to stay on the most recent head version to be secure. In practice they have patched previous releases going
Re: (Score:2)
It is about time that the WordPress foundation recognize that they are no longer a small time blog package. They need to introduce long term supported releases for the stability of their platform.
Why? What's wrong with updating? Basic users aren't using internal APIs, so they don't have a problem if they update a module.
Re: (Score:2)
WP has impressive security. (I'm not joking) (Score:1)
I've done a massive amount of deployments with various PHP based web-CMSes, mostly Joomla and Wordpress. And while they're all built on ancient hacks of incredibly crappy architecture and application models, the type that lets you stand back in awe and amazement vis-a-vis the utter shittyness of each of these webapp-hodgepodge behemoths, I like WordPress the best, because at least I don't feel dirty when building a quick hack with it *and* I actually *can* build a quick hack with it.. Unlike, for instance,
How Does One Test For Such An Issue? (Score:2)
So much hate (Score:1)
The Wordpress hate here is hilarious. So much obvious anger. Get over yourselves. All of the hate for Wordpress can be compared to ruling in favor of same sex marriages. All of the right wing nut jobs are screaming about how it affects them and how it's so bad, as if someone were going to force them in to a same sex marriage. No one is forcing anyone to use Wordpress either - it's easy and opens operating a web site to a very large number of people. That is a wonderful thing, not a bad thing. If you