Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 10th, 2010

Unknown Attack Compromised Hundreds Of WordPress Websites

Hundreds of WordPress-powered blog owners have recently found their websites inaccessible after a critical value has been altered in the database. The attack seems to affect even the latest version of the popular blog platform and, so far, the entry point has not been determined.

Sucuri Security Labs, a provider of Web-based integrity monitoring, reports that a worrying number of blogs were compromised the last week, in an attempt to silently redirect visitors to a malicious URL loading exploits. According to the company, most of the affected sites are hosted at Network Solutions.

The common symptom of the hack is an altered “siteurl” value in the “wp_options” database table. This variable should normally contain the main URL of the website, however, on affected installations, it is modified to a rogue <iframe> element pointing to a [don’t open].

That’s how it looks like in the database:

(2, 0, ‘siteurl’, ‘<iframe style=”display:none” height=”0” width=” 1” src=””></iframe>’, ‘yes’),

Since “siteurl” is not supposed to hold HTML code, this modification breaks the entire blog layout and prevents users and admins alike from reaching the website. The unusual technique suggests that the attackers are amateurs and not particularly familiar with the intricacies of the WordPress platform.

Another interesting aspect is that no one has successfully pinpointed the entry point used by the attackers, which could be either an unidentified security hole in WordPress or a common plug-in. “The only way for the database to be modified like that is via SQL injection or a bigger problem inside Network Solutions databases,” David Dede, a security researcher with Sucuri, said, however, no suspicious activity is registered in the access logs.

Shashi Bellamkonda, head of social media strategy at Network Solutions, challenged the idea that only blogs hosted with Network Solutions were affected. “Its not accurate to say that this affects only Network Solutions customers. It seems like there have been a spate of these attacks over the past few weeks,” he wrote in response to Sucuri’s report.

Fixing the rogue “siteurl” entry from the database might not be enough to mitigate this problem, as a lot of webmasters reported their blogs getting reinfected. It is also recommended to manually override the “siteurl” value via the wp_config.php.

To fix this issue, just revert your siteurl back to the previous value. Log in to your control panel, go to manage database, and edit the siteurl value on the wp-option table.

Update: It seems that a malicious user employed a script that automatically scoured the Network Solutions system for poorly secured accounts and, when found, modified the databases so the corresponding websites redirected users to the malicious website. The mass hack caused Network Solutions customers running WordPress to silently redirect visitors to malicious sites. Network Solutions has now closed the hole by resetting database passwords for the blogging software, the company said Sunday. Users should also review their settings for any administrative access accounts that aren’t recognized and if found delete them.

Credit: News

Share this item with others:

More on CyberInsecure:
  • WordPress Multiple SQL Injection Vulnerabilities
  • WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack
  • WordPress Cookie Integrity Protection Allows Unauthorized Access
  • WordPress Parameter Directory Traversal Vulnerability
  • Significant Number Of WordPress Websites Compromised, IFrame Used For Affiliate Scheme

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Unknown Attack Compromised Hundreds Of WordPress Websites

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.