New attack today against WordPress

Update 2: Simple clean up solution: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Update 1: Note that we are not blaming WordPress here. I am assuming that if the problem was on WordPress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server.

We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.

So, it doesn’t look like something specific to a hosting company. The only thing in similar is that all of them are on shared servers.

All those sites had this javascript added to their pages:

http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php

Which came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).

You can get more information about the encoded string here (and the final decoded code):
http://sucuri.net/malware/entry/MW:MROBH:1

One thing very interesting that is becoming a trend is that the malware is also hiding from Google. This causes the site to do not get blacklisted, making it harder for the owner to notice.

People are talking on the forums already:
http://wordpress.org/support/topic/396524
http://www.webhostingtalk.com/showthread.p..
http://collabtive.o-dyn.de/forum/view..

How are they getting hacked? We have no clue yet… We can only restrict to a few issues:

1. Stolen FTP/WP password

2. Bug on WordPress

3. Bug on some WordPress plugin

4. Brute force attack against the passwords

Send us more information if you know something.

The guys from WP security lock did a good thread on the issue. You can read here

http://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html