CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 23rd, 2008

WordPress Doorway Spam Attacks

Wordress blogs are mass scanned and attacked, and a new directory in wp-content folder is created in vulnerable ones. The directory is usually called /1/ and its full of html files containing Javascript redirects in them (doorways). There was also an infected blog with phishing pages for Google logins. Google cache already shows thousands of results with such hacked WordPress blogs. They can be seen best by committing a search inurl:wp-content/1/ (do not visit those results, your PC might get infected). Google has already tagged some of these spam pages as harmful.

The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.

This issue was reported to WordPress.org, and there is an unofficial fix for this issue. The fix is based around renaming the cookies used by WordPress by default. If the exploit is hacking the cookies by mass scanning blogs, and it looks for a specific cookie name, that would stop what is out there now but it would not fix the issue.

Recommendations: Upgrade to 2.3.3 along with immediately changing any administrator passwords. Currently older WordPress versions, especially Wordress 2.1.3, attacked using “admin-ajax.php” sql injection exploit to retrieve the administrator account’s password.
Change default cookie names in your blog.

If you know more details or any other solutions, please contact us and share.

For a PMI-001 candidates, being done with 650-393 and 70-528 is both equally important. Only then can they move on to 70-284 or the complex 640-801.

Share this item with others:

More on CyberInsecure:
  • WordPress Multiple SQL Injection Vulnerabilities
  • Google’s Blogger CAPTCHA Under Automated Registrations Attack
  • WordPress Parameter Directory Traversal Vulnerability
  • WordPress Cookie Integrity Protection Allows Unauthorized Access
  • WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: WordPress Doorway Spam Attacks

    5 Responses to “WordPress Doorway Spam Attacks”

    1. I had this happen to a fresh install of WordPress 2.3.3, so I don’t know that upgrading will definitely fix the issue. This attack started widespread back on the 15th or 16th, I do believe:

      New WordPress 2.3.3 Exploit/Vulnerability – Adds Spam Directory /wp-content/1/

      The 2 blogs that I had hit were hit on the 18th.

      Curious, where did you discover this first?


    2. CyberInsecure Says:
      March 26th, 2008 at 8:01 pm

      Michael VanDeMar:
      There can be few explanations. You used same password or your email got compromised and someone recovered new password. Your web hosting might be compromised and so on.
      I never heard any cases on WP 2.3.3 except yours.

      I first saw this on a russian language forum, in a topic related to Xrumer spam software.


    3. There have been a few. Neither email nor server were compromised, either. It’s a bot attack, not targeting my blogs specifically. Different passwords on each blog as well.


    4. CyberInsecure Says:
      March 26th, 2008 at 8:11 pm

      First hit might (and probably was) by a bot, second might be a “custom” job.
      I got some deeply google-indexed WP blogs, versions 2.2.2 and newer. No hits so far… I always change all defaults during install though.


    5. CyberInsecure Says:
      March 28th, 2008 at 8:00 am

      Here is a good analysis and explanation of whats going on:

      http://websecurity.ro/blog/2008/03/28/wordpress-233-probably-a-0day-exploit/

      It seems a 0-day SQL injection is involved and wordpress blogs that DO NOT use mod rewrite are vulnerable.


    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word