There’s an incredibly dreadful hack hitting sites using the popular open source blog platform, WordPress, right now, even sites that are running the latest most up to date version (2.9.2). We know first hand as it has attacked our site and many others. Popular hosting service Media Temple confirmed the attack in a recent blog post saying, “Of those affected, 100% are running WordPress.” Our site is on Network Solutions and so it is not just Media Temple. WordPress has not made a public statement yet.
The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities.
According to Ben Cook, Thesis theme creator Chris Pearson was also hit by the hack as well as several prominent sites and dozens if not hundreds of others. The hack was covered on ThemeLab.com including details about it in the video (below).
Thankfully, Christopher Penn shared how to clean up one version of the virus. However, we followed the steps and found that we were not hacked in the same way but our wp_options table in WordPress seems to be a common thread as we were also affected by the virus in the same table.
If your site has also been hacked, please help the WordPress team figure out where the vulnerability might be by gathering the following information:
- a list of what plugins you’re running
- what version of WP you’re running
- what theme you’re using
- who your hosting provider is
- and a list of any other applications installed on your account
Then contact WordPress at security@wordpress.org and please also let us know in the comments section below. Hopefully, WordPress will release a fix for this issue soon. Until then we’ll try and keep the TECH cocktail site up but we’ve been getting hit every day with a slightly different version of the same attack. Stay tuned.
{ 24 comments… read them below or add one }
I love WordPress and their work but with the new VaultPress about to be released, have they purposely leave a back door open to sell their services? I really hope not.
As Matt posted, that's quite difficult.
@Luis I don't think you understand how open source works.
It's also hitting Network Solutions wordpress users…
I've pretty much been reduced to tears.
I have almost an EXTREMELY limited tech background, but I have enlisted the help of my savvy friends, and no one can figure out where the malicious code is.
My site's been declared harmful since Wednesday. I don't know what to do.
I'm on WP, I'm using Network Solutions. I've reinstalled WP. None of the bad RSS code seems to be present.
I honestly don't know what's left to do.
Hi kristy,
i work for Network Solutions. Can you send an email if you are still having issues to listen at networksolutions.com.
Thanks,
Shashi
Sending right now. Thank you!
While I don't mind you quoting my post, it would be nice if you could link back to it and labeled the quote as such
That being said, it sounds like there has been some sort of wide-spread exploit found among WordPress hosts and is being used for multiple hacks.
Full disclosure, I'm also a Network Solutions employee as well as a WordPress fanatic so I'm definitely hoping this gets solved as soon as possible.
Thanks!
Oops, must have lost the link in posting as we were trying to get it out before the site went down again. Sorry about that. It's in there now and thanks for reaching out!
WP security primers http://www.hosterware.com/wordpress-hosting/wordp...
It's been a challenging week. We got hacked Friday (cleaned footer), Sunday (cleaned header), Thursday with total hack and site down. Back up yesterday supper time, worked all day Saturday checking the usual suspects. Down at 3 PM EDT with same infection. Tried the same list but Network Solutions admitted one hour ago that we should do nothing until they and WordPress fix the problems at their end first.
Very frustrating but that's life
It isn't just network solutions. We are with godaddy and they hit all 45 sites on our server. It installed code into the htaccess so we removed it and got back the sites. We tracked the IP and could see when they came in but when I tried to block the IP via htacess suddenly our sites went back to redirecting to the malicous site. Did a restore of one of the sites to a month ago, well before the attack and again tried to edit htaccess and it redirected the site! So the virus must be in the database somewhere and it replicates or something. I cant find where the other code is. I hope they fix this soon! Oh and the non wordpress sites are also affected even though there is no code in there we can see. So I wonder if it is browser driving if that is possible??
I am struggling with wp hack issue i also found a issue in your blog. when i see view source a JavaScript code found on your website starting with eval()… hope this help you to fix your blog.
Thanks
Our .htaccess file was hacked in the wp-super-cache section. The wp-config.php file was hacked to change the db password.
I'm running a Wordpress blog using thesis theme and have not been infected at all, although a client's site was hacked, she sent it to me… I could see the problem and warning screen, but was not infected.
But I am on a Mac System not a PC system. Do you think that makes a difference?
That is exactly what happened to us. Since we are on a Mac we do not get the prompt to update our browser or whatever it says but it is still running on your site. Do a view source and see if you can find some random javascript, script or iframe in your header of footer on your site. If so, you need to remove it and I would make sure those associated files are locked down from a permissions perspective as well.
Still This post is infected.
Really? Please explain what you mean. Thanks!
Frank,
You may have that WordPress logo with NetSol's logo instead…
http://wordpress.org/development/2010/04/file-per...
WordPress is pissed that NetSol is blaming them. They're accusing NetSol of not setting up permissions correctly to protect their databases. To be honest (erhm, frank) I never heard of hack attacking the DB in this manner… unless it's been setup insecurely for the get go.
There's a story here. Sorry to hear everyone having so much trouble with this. MySQL is tricky, check that your host knows what they're doing is my only advice.
Ernesto
There's good story to sort out here for sure.
http://techcocktail.com/wp-includes/js/comment-reply.js?ver=20090102
is infected with a trojan. please remove it.
You should really consider making a clean install of wordpress, because cleaning every file will be a pain in the ass.
One thing that you didn't mention and most people are forgetting is to change the secret keys. If the attackers were able to login at that time, they might still have access via the old cookies. So change the keys asap. This link explains:
http://sucuri.net/?page=docs&title=changing-w...
David, I assume that if I did a fresh install, I don't need to change the secret keys, correct?
What I want to know is if wp-config should be 644 or 640, why does the default Wordpress install through Fantastico have it as 755? No wonder I got hacked!
David, I assume that if I did a fresh install, I don't need to change the secret keys, correct?
What I want to know is if wp-config should be 644 or 640, why does the default Wordpress install through Fantastico have it as 755? No wonder I got hacked!
{ 8 trackbacks }