A large number of bloggers using WordPress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software.
According to multiple postings on the WordPress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads.net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads.net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the WordPress interface.
It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.
Network Solutions spokeswoman Susan Wade said the company is investigating the attacks, and that the company believes the problem may be related to a rogue WordPress plugin. Wade added that the attacks weren’t limited to just Network Solutions customers (although the company hasn’t supplied the author with any evidence to support that claim yet).
A scan of the script that was seen pushed from the networkads.net site indicates that visitors to a hacked site will be redirected to a site that tries to install a malicious ActiveX browser plugin (ActiveX is a plugin technology that affects only Internet Explorer Web browsers, but the individuals behind this attack could conceivably swap in different malware at any time). A scan of the file delivered by that redirect shows rather poor detection by most anti-virus products: Virustotal.com found that only 7 out of 39 anti-virus products detected it as malicious.
The following how-to-repair instructions appear to have worked for a number of Network Solutions customers hit by this attack.
-Log in to your site at networksolutions.com
-Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to your blog’s URL . For example: “http://example.com/wordpress”.
-Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value.
Still, that fix may only be temporary, said David Dede, a security expert from Brazil who maintains the blog Sucuri Security. Dede said he has helped close to a dozen blogs recover from the incident, and all were hosted at Network Solutions.
Dede said that on each site he completely wiped the database and installed a fresh copy of WordPress, only to find that a few hours later, the site’s Web address was changed back to “networkads.net/grep.” During that time, however, the access logs for the site showed no remote logins to the affected sites, he said.
“So, it doesn’t look like a plugin issue,” Dede said.
Stay tuned for further updates.
Update, Apr. 12, 10:49 a.m. ET: It seems there are multiple culprits here. According to an update to Dede’s blog, a number of security weaknesses contributed to this attack, including the fact that WordPress stores the database credentials in plain-text at the wp-config file, which a lot of WordPress users allow to be readable by anyone. Dede also said a malicious user at Network Solutions created a script to find those configuration files that were incorrectly configured.
Network Solutions has updated its blog with some additional pointers and tips, but as for the “malicious user at Network Solutions,” company spokesman Shashi Belamkonda would say only that “the root cause for this issue has been addressed.”