Tuesday, April 27, 2010

Wordpress sites hacked, again!

A big web hosting company was the target of a massive attack of hosted Wordpress sites. This is hardly a surprise. Wordpress, and other Content manager Systems (CMS) like Drupal, Joomla!, etc. are regularly targeted because of the high number of security flaws either in their core functionality, or in the numerous 3rd-party plugins that they work with.

To verify if this feeling of deja-vu is right, I took a loot at our statistics to identify the volume of we've seen over the last week that were infected with malicious IFRAMES or Javascript:

Measurement Pecentage of Wordpress sites
Hits 68%
Hosts 87%
Percentage of infected sites running Wordpress

68% of the pages infected with malicious IFRAMES or javascript were running on Wordpress. If we look at the number of unique hosts, 87% of infected sites are running Wordpress!

The current version of Wordpress available for download is 2.9.2. The Wordpress version can be identified by this HTML code:
<meta name="generator" content="WordPress X.X.X" />

Here is the distribution of infected Wordpress websites by version:

Infected Wordpress sites by versions

14% of the infected are running the latest versions. Note that they may have been infected through a plugin that may not be up to date.

Most of the infections related to injected IFRAMES that link to an external malicious sites. Some attacks are also used to inject spam, as can be seen in this code sample:

Invisible spam links to Viagra and other popular drugs

-- Julien

1 comment:

Anonymous said...

This is not the method used for the Network Solutions hack. This hack involved a script inserted some place in the templates or database so that no matter how you fix the 'pages' the script is back upon next reload -- only PHP pages, not html indexes.

We have not been able to identify the script for removal, and Network Solutions is not sharing that info, not even with site owners. I've inquired three times and get the same canned response each time.