WordPress blogs being attacked!
- April 10th, 2010
- Posted in Security . Social Media
- By Davezilla
- Write comment
A large number of WordPress users are noticing that they cannot log into their blogs this weekend. Or if they can log in, their site has an iframe that points to a malware site (networkads.net/grep). Original posts on the story pointed it at blogs hosted by Network Solutions. NetSol, however, claims it is not just them—that other hosts are being infected as well. They mention a “rogue plugin” however they will not say which one it is, and so far, the only complaints have been from NetSol blogs. Another early “fact” claimed by many was that this attack was only hitting 2.92 users, but comments indicate other versions have been hit as well.
Sucuri Security has a fantastic write-up of the attack, details and the fix, which will likely scare those unfamiliar with PHPMyAdmin. According to Sucuri:
“What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing is does is to modify your “siteurl” inside the “wp-option” table to point to http://networkads.net/grep/, breaking the site layout completely.”
If you find yourself infected, and are confused by the directions, do yourself a favor: ask a geeky friend to do this for you. It’s not beginner stuff.
TIP: One thing you can do immediately without accessing your wp-options table is turning off, then simply removing your xmlrpc.php file from your WordPress install. It’s always at the top level (root) of your WordPress install.
Has your blog been hit by this attack? How did you fix it?
Possibly related posts:
I got a client phone call early one morning last week that their site wasn’t loading properly. I took one look at the source and realized that the CSS files weren’t loading from the correct root URL.
I then searched the mysql database using Sequel Pro and found the siteurl field had been changed. A few keystrokes later we were back online.
All this before I had even heard about the NetSol hack. I’m not a programmer by trade, but I was damn proud of myself for finding and fixing this one in under 5 minutes.
Point being, get a good mySQL tool instead of relying on phpMyAdmin. You’ll save tons of time by being able to search entire tables quickly without any advanced coding knowledge. Familiarize yourself with the WordPress table structure and default values. You’ll be able to spot any anomalies when an attack does occur.
And BACK EVERYTHING UP!!!!
Frakkin’ spammers.
That’s a great tip, Andrew, thanks! Quick question: Was the site hosted on NetSol?
Yes, it was hosted on NetSol. Interestingly, a few other personal project WP blogs on the same account were not. Maybe they are on different physical boxes, or I just got unlucky and had the only client site hit.
Oh that is odd. Seems like that attack was limited and rather random.