Innumerous WordPress Blogs Compromised by Malware Attack
Sucuri Security Labs, a Web-based integrity-monitoring provider, reports that in an attempt to promptly land users onto a malicious URL loading exploits, a huge number of blogs were compromised in the second week of April 2010.
According to the report, the firm is observing that malware is infecting loads of Wordpress blogs (running the latest version 2.9.2). Also, the same themes or same plug-ins are not used by any of them. All of them are shared hosts at Networking Solutions, and that's the only thing similar between them, as reported by Sucuri Security Labs Official Blog on April 9, 2010.
The hack's common symptom is a modified "siteurl" value in the database table of "wp_options". Normally, this variable must carry website's main URL; however, on impacted installations, it is modified to a fake <iframe> component directing to http://networkads.net/grep/ [don't open - malware alert].
As "siteurl" is not believed to bear HTML code, this alteration splits the entire layout of the blog and prevents users and administrators in a similar way to reach the website.
The bizarre technique clearly indicates that the amateur attackers are unknot much familiar with the WordPress platform's intricacies.
According to David Dede, a Sucuri security researcher, the database can only be modified through SQL injection or a major problem within Network Solutions databases; no suspicious activity is, however, recorded in the access logs, as reported by SOFTPEDIA on April 10, 2010.
The thought that just Network Solutions-hosted blogs were affected was challenged by Shashi Bellamkonda, head of social media strategy at Network Solutions. In response to the report from Sucuri, he wrote that it is not correct to declare that only Network Solutions customers are affected by this, it appears that there has been a wave of attacks since past few weeks, as reported by SOFTPEDIA on April 10, 2010.
On a concluding note, the security researchers strongly recommend that it might not be enough to mitigate this grave problem by simply mending the rogue "siteurl" entry from the database. This is because a large number of webmasters complained that their blogs were getting infected time and again. Hence, the best possible solution is to use wp_config.php. and manually override "siteurl" value.
Related article: Internet Threat Volumes Overwhelm Security Companies
» SPAMfighter News - 21-04-2010