April 9, 2010

A large number of bloggers using WordPress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software.

According to multiple postings on the WordPress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads.net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads.net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the WordPress interface.

It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.

Network Solutions spokeswoman Susan Wade said the company is investigating the attacks, and that the company believes the problem may be related to a rogue WordPress plugin. Wade added that the attacks weren’t limited to just Network Solutions customers (although the company hasn’t supplied the author with any evidence to support that claim yet).

A scan of the script that was seen pushed from the networkads.net site indicates that visitors to a hacked site will be redirected to a site that tries to install a malicious ActiveX browser plugin (ActiveX is a plugin technology that affects only Internet Explorer Web browsers, but the individuals behind this attack could conceivably swap in different malware at any time). A scan of the file delivered by that redirect shows rather poor detection by most anti-virus products: Virustotal.com found that only 7 out of 39 anti-virus products detected it as malicious.

The following how-to-repair instructions appear to have worked for a number of Network Solutions customers hit by this attack.

-Log in to your site at networksolutions.com

-Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to your blog’s URL . For example: “http://example.com/wordpress”.

-Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value.

Still, that fix may only be temporary, said David Dede, a security expert from Brazil who maintains the blog Sucuri Security. Dede said he has helped close to a dozen blogs recover from the incident, and all were hosted at Network Solutions.

Dede said that on each site he completely wiped the database and installed a fresh copy of WordPress, only to find that a few hours later, the site’s Web address was changed back to “networkads.net/grep.” During that time, however, the access logs for the site showed no remote logins to the affected sites, he said.

“So, it doesn’t look like a plugin issue,” Dede said.

Stay tuned for further updates.

Update, Apr. 12, 10:49 a.m. ET: It seems there are multiple culprits here. According to an update to Dede’s blog, a number of security weaknesses contributed to this attack, including the fact that WordPress stores the database credentials in plain-text at the wp-config file, which a lot of WordPress users allow to be readable by anyone. Dede also said a malicious user at Network Solutions created a script to find those configuration files that were incorrectly configured.

Network Solutions has updated its blog with some additional pointers and tips, but as for the “malicious user at Network Solutions,” company spokesman Shashi Belamkonda would say only that “the root cause for this issue has been addressed.”


33 thoughts on “Hundreds of WordPress Blogs Hit by ‘Networkads.net’ Hack

  1. JCitizen

    Not surprisingly, both versions of Avast and GDATA made the list.

    Good article!

    Great reporting Brian!

  2. Shashi Bellamkonda

    Hi Brian,

    While you are correct that Network Solutions customers are discussing this with us on social networks it is not correct to say that this issue is affecting only Network Solutions customers.

    Read these posts : http://techcocktail.com/home/2010/04/08/wordpress-hacked-virus-cloaks-search-engines/
    http://inspirated.com/2010/03/02/wordpress-ninoplas-virus-and-the-fix

    While we did not want to seem like we were pointing fingers at other hosting companies if you use google you will see results of other sites affected. Here is an example http://kl.am/a6nZ Check the whois for the sites that come-up for this wuery and see where they are hosted. Its possible that you may find a few from Network Solutions in there. The point I am making is the user has full control over their wordpress instance .

    I should also mention that we are working with the WorkPress community and monitoring feedback from blogs and forums to help nail down the issue.

    Was nice talking to you today and were waiting to get a call back to provide you this info.

    Thanks,

    Shashi

  3. G.J.Souverein

    I was attacked by a script installed at the wordpress blog of redbeesoft at http://www.redbeesoft.com a few days ago.
    Their provider is HostDime.com , inc
    Sign of “JS:Illredir-AL [Trj]” has been found in “http://redbeesoft.com/” file.
    WAS protected by Avast.

  4. dyerware

    Change your PHPMYADMIN password. You can do this though the network solutions management panel under NSHosting/Configuration/Database in the left panel of the account management interface.

    Kinda think this siteurl hack is simply going for that. All the hacker needs is the username and password of your SQL database.

    Worth a shot!

    1. jbravo556

      Tried it, it didn’t help.

      I changed the database name and password. Changed my SFTP password, changed my wordpress admin password and still got hacked within an hour or so.

      However is doing this seems to have hacked the database server and has the password for the root account to MySQL.

      1. Dyerware

        Did you chmod 750 the wp_config.php file prior to updating it?

  5. Neal Locke

    Ok, fixed all the chmod stuff and removed the malicious code from the mysql database.

    BUT…still can’t get into wp-admin. When I type in the url it’s showing up as a 404 Page Not Found error.

    Suggestions?

    1. dyerware

      Well, realy I think you should ask sucuri.net Krebs as Im a plugin developer but don’t get much into this stuff.

      A few things I have noted in implementing the solution:

      1) Make sure the dbase password REALLY changed because the default user name you get for your dbase from network solutions is technically illegal (starts with a number, has underscores). I kept trying to update just the password and it would revert. So make the user name “legal” at the same time so it goes through.

      2) delete your browser cache to force a full reload.

      3) try accessing an admin file directly: mysite/wp-admin/index.php

      best of luck of course!

  6. dyerware

    Oh one more thing…. I had to ensure I was fully logged out of my site and then I logged in and I could get to the admin area. Like the cookies still affected access with old info.

  7. Me

    This is an ongoing threat and ‘binglbalts.com’ is another older malicious
    domain:

    networkads.net A 64.50.165.169
    binglbalts.com A 64.50.165.169

    Source: http://www.bfk.de/bfk_dnslogger.html?query=64.50.165.169

    Both domains are known bad, share the same path ‘/grep/’ and using the
    “Eleonore toolkit”:
    http://www.malwaredomainlist.com/mdl.php?search=alex1978a%40bigmir.net

    Admin panel: /grep/stat.php

    ‘binglbalts.com’ already discussed at the WordPress forums:
    http://wordpress.org/tags/binglbaltscom

    But also Joomla related:
    http://badwarebusters.org/main/itemview/16815
    http://sucuri.net/?page=saved-scan&scan=9c70604ee49370617d7d591c8542ccdb-sav
    ed

  8. G.J.Souverein

    Information about ninoplas.com from http://www.robtex.com

    *.ninoplas.com has one IP number , which is the same as for ninoplas.com. ninoplas.com point to the same IP. ninoplas.com is delegated to two nameservers, however two extra nameservers are listed in the zone. *.ninoplas.com is ranked #9276993 world wide as ninoplas.com and is hosted on a server in China. Reputation is not yet known.It is not listed in any blacklists.

  9. G.J.Souverein

    Whois information:

    Domain name: ninoplas.com

    Registrant Contact:
    NewCompany ltd
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    Administrative Contact:
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    Technical Contact:
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    Billing Contact:
    Todd Echols moonbeam@konocti.net
    7079983776 fax: 0
    3272 spring valley rd
    clearlake oaks CA 95423
    us

    DNS:
    ns1.everydns.net
    ns2.everydns.net

    Created: 2010-02-05
    Expires: 2011-02-05

    There is some more information about Todd Echols on
    http://www.malwaredomainlist.com/mdl.php?search=91.212.198.137&inactive=on

  10. KFritz

    When my new box w/ HP/Windoze7 arrived I serenely installed Microsoft Security Essentials–confident that it was as good or better than Avast. Now it turns out that Avast and AVG were both ahead of Redmond on this latest dreck. How is Security Essential’s peformance compared to other comparable programs?

    1. JCitizen

      Check the AV-comparatives test for the end of 2009. It wasn’t stellar, but I’d still used it if I had too.

      Fortunately with free AV still available, I’d stake my bet with Avast. I run a honeypot lab, and Avast has never let me down.

      AVG has been an unqualified disaster for my clients. No one should rely on one solution – only a blended defense is the best – choosing alternatives that approach heuristics from a different angle make the best blends. Read the user reviews at CNET, and you can’t go wrong.

  11. SEO Nepal

    i believe it puts a javascript file inside the theme that you are using. delete your default theme and uploading once again might help.

  12. Brian Fiori (AKA The Dean)

    At first I was surprised Antivir missed this detection. then I noticed Virustotal is using version 7 of this product. I am currently using version 10 and haven’t used version 7 for several years.

    Someone at Virustotal and/or Avira is dropping the ball on this one, it seems.

    1. AlphaCentauri

      “Someone at Virustotal and/or Avira is dropping the ball on this one, it seems.”

      hmmm, that seems too blatant to be an oversight.

      By participating in VirusTotal using an outdated product, Antivir gets the benefit of receiving samples of newly submitted malware without revealing to malware creators whether their current product can already detect it via heuristics.

      I don’t know if holding back their current product would have any effect in improving security, since we know from Brian’s previous columns that there are paid services catering to malware authors that will test their samples against various AV products without submitting them to the AV companies themselves for analysis. But it might have been Avira’s reasoning in doing it that way.

      Avira has done well enough in product comparison testing reports the past couple years that they may be willing to let the people who submit regularly to VirusTotal think they’re slipping.

  13. Brian Fiori (AKA The Dean)

    AlphaCentauri, you make some excellent observations and speculations. But if you are right about Avira, I might counter that IMO someone is dropping the ball at Virustotal. I mean, should Virustotal allow Avira to participate without REALLY participating at the level of the other AV companies? BTW, I’m not really sure of Virustotal’s mission/policies/etc, so it may be that many play this way.

    For the record, I am a long time user of Avira for myself and many of my clients. Antivir and Avast are two exceptional products, IMO. And you are right, their reputation is so good, and their performance in the comparative tests has been so exceptional, perhaps they don’t really care if they don’t look strong in Virustotal comparisons. But somehow, I kinda doubt that.

  14. Michelle

    Check the AV-comparatives test for the end of 2009. It wasn’t stellar, but I’d still used it if I had too.Fortunately with free AV still available, I’d stake my bet with Avast. I run a honeypot lab, and Avast has never let me down.AVG has been an unqualified disaster for my clients. No one should rely on one solution – only a blended defense is the best – choosing alternatives that approach heuristics from a different angle make the best blends. Read the user reviews at CNET, and you can’t go wrong.

  15. Mariah Barnes

    I always prefer to use Kasperky over Avast or McAfee. Kaspersky is much better in detecting new viruses and it does not consume too much resources on your dektop PC..`~

  16. Jack Smith

    WordPress is the best blogging platform ever. It is much better than Typepad and blogspot.**.

  17. hell me

    the above scrip didnt work for my site

    my site is still down!!

    theres is more to this hack!

    for blog owners who have no clue about the back codes and scripts… this is all too much to know that evil people would do something like this..

    my site is on wordpress with go daddy..

    and i had the updated version before the hack..

    i cant offer any advice except… to the persons who are responsible for this…. karma will get you!!

  18. ISN

    How did AVAST not detect that. That is quite strange. I am surprised that it also got in to GoDaddy’s system, what a hack!

  19. wordpress development

    Amazing List, WordPress is really great CMS … if you have wordpress you can think beyond boundaries (-:Hi please have a look at one of best blog site in the wordpress, see it has all the facility like
    * WordPress Installation & Upgradation
    * WordPress Migration
    * WordPress SEO

Comments are closed.