WordPress blogs hacked, redirecting to malware

Summary:The attacks occurred mostly on WordPress blogs hosted by Network Solutions but it appears that there are multiple security weaknesses in play.

Malicious hackers have found a way to hijack WordPress database credentials and use that information to redirect thousands of blogs to Web sites laden with malware.

The attacks, which started last Friday, occurred mostly on WordPress blogs hosted by Network Solutions but it appears that there are multiple security weaknesses in play.

David Dede, a researcher at Sucuri Security Labs, figured out that fully-patched WordPress blogs actually stores the database credentials in plain text, making it an easy target to hack.

follow Ryan Naraine on twitter

Here's the explanation:

  1. Wordpress stores the database credentials in plain-text at the wp-config.php file.
  2. This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  3. A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  4. This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
  5. Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.

Network Solutions have since implemented a fix on their end but added a caveat:

As part of the resolution, we have had to change database passwords for WordPress.  Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes.

As a precaution, we’re also recommending that all customers using WordPress should log into their account to change their administrative passwords.  Also review all the administrative access accounts and delete those that you do not recognize.

* Image via Peregrino Will Reign's Flickr photostream (Creative Commons 2.0).

Topics: Security, Enterprise Software


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.