Virtual Assistant Forums | Work from Home

Business-Bytes · #1 (**permalink**) 05-11-2010

I received the following email and wanted to pass it along:

"10 May 2010, 13:30
Large-scale attack on WordPress http://www.h-online.com/open/news/it...ss-996628.html

[cid:image001.png@01CAF0E2.B579 9640]According to various reports, in the past few days a number of websites created using WordPress have been hacked. While the attack initially appeared to be limited to web sites hosted by American ISP DreamHost http://www.dreamhost.com, it has since become apparent that blogs hosted at GoDaddy, Bluehost and Media Temple have also been affected. Unconfirmed reports by WPSecurityLock http://www.wpsecuritylock.com/breaki...a-on-dreamhost suggest that other PHP-based management systems, such as the Zen Cart eCommerce solution, have also been targeted.

The hacked web pages appear to have been infected with scripts, which not only install malware on users' systems, but also prevent browsers like Firefox and Google Chrome, which use Google's Safe Browsing API, from issuing an alert when users try to access the page. When Google's search bot encounters such a specially crafted page, the page responds by simply returning harmless code. This camouflage strategy takes advantage of the browser switch normally used by developers to return browser specific code to suit functional variations in different browser, such as Internet Explorer and Firefox.

Experts are currently still puzzled over which hole was actually exploited for the large-scale attack. The only thing that seems certain at this point is that the problem didn't originate in WordPress, because if this was the case considerably more pages would have been infected. However, opinions differ as to whether the security hole only affects older WordPress versions: While Chief Information Security Officer Todd Redfoot explicitly advises that customers update to the most recent WordPress version http://www.wpsecuritylock.com/exploi...daddy-responds, http://www.wpsecuritylock.com/exploi...addy-responds/ David Dede's "Sucuri Security" blog http://blog.sucuri.net/2010/05/new-a...wordpress.html http://blog.sucuri.net/2010/05/new-a...wordpress.html unequivocally states that pages created with the latest version of WordPress have also been infected.

Dede says that he has posted a simple and effective method for decontaminating affected web sites on his blog."

I'm not sure if this is legit or not - Tess, Hamid, anyone?

JKVirtualOffice · #2 (**permalink**) 05-12-2010

Hi Jules,
I also saw this mentioned somewhere in a comment on Facebook so it seems like there might be some legitimacy to it. Haven't seen anything about it anywhere else though.

RhondaHolscher · #3 (**permalink**) 05-12-2010

Thank you for posting this. I use Norton internet security and search engine. Do you know if that involves Norton from performing properly as well.

Business-Bytes · #4 (**permalink**) 05-12-2010

Not hearing much about this beyond what I posted and what Kimberly said, to step up my security, I am implementing some additional plugins on my site. Hopefully others will find these useful...

WP-Security-Scan, Exploit-Scanner, and WordPress-File-Monitor.

I already had Exploit-Scanner, but the other two are new that I'm adding.

Also, making regular backups is so important. A backup plugin that I like is WP-DB-Backup (you can also send a copy of the backup to your computer). I also FTP a copy of my whole site (all folders and sub-folders) to my desktop in a folder on a regular basis.

I realize that these can't prevent hacking totally, but it gives me a bit more peace of mind...I think.

Hey Rhonda, I don't know about Norton...sorry. If I hear anything I will sure post it.

BusiMum · #5 (**permalink**) 05-13-2010

How many plug-ins can a WP site have until it effects performance?

Fiona

Business-Bytes · #6 (**permalink**) 05-13-2010

I could spit fire!! (Truly an understatement!!!)

Guess what? For all my pontificating about security measures I have taken, all EIGHT of my sites on Bluehost have been hacked. I can't FTP to access the files, nor login to cpanel at Bluehost. Only one is a WordPress site, two are Joomla, and the others are all XHTML/CSS sites. AND - this shows me that it's not just WP sites. ARG.

I do have local backups on my computer, but this is not going to do me much good if I can't even access my root site via FTP or cpanel.

Another article I found regarding sites being hacked from a newspaper here in my state: Des Moines, IA, The Examiner

Guess now I know that this is a real threat. <sigh> I'll be contacting BH later this morning. This truly sucks.

ChristinaVOS · #7 (**permalink**) 05-13-2010

Oh Jules! So Sorry

I had done some research after seeing your original post and found that Bluehost was one of the few hosts that were having problems across the board. Others seem to be kind of random. Going to find the article again and get the list of hosts- I'll be back when I do.

~C

ChristinaVOS · #8 (**permalink**) 05-13-2010

Here's the list(most are noted in the article above already):
GoDaddy
BlueHost
DreamHost
Media Temple
Network Solutions

It also appears that ANY site based on PHP is vulnerable. The hosts above have just seen the bulk of the attacks.
PHP would include:
Wordpress
Joomla
Moodle
and many others.

Just be sure to check all of your sites (if your anything like me, this could take a while)

~C

Business-Bytes · #9 (**permalink**) 05-13-2010

Well it turns out I wasn't hacked - thank God!

Here's the reply from Bluehost:

I'm sorry, our admins applied a new kernel and have been working on optimizing it for the last while. Your server should be fixed shortly, generally within 1-2 hours.

Thank you,
Dan
Technical Support Engineer
BlueHost.com
_________________________

Sure wish they would have sent out a notification about this so I wouldn't have gotten into such a tizzy. Gotta say, it was longer than 2 hours though. I didn't go to bed until 6am this morning and it was still down.

I'm breathing a sigh of relief... All is

in my world again.