Wordpress munching contagion turns Linux servers into spam bots The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies. Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace. Mumblehard is made up of two different components. The first component is a generic …
>Just keep patching, just keep patching...
Patching is good. You could block outbound connections from your webservers.
Wordpress may be bad, but your firewall and email admins get no prizes either.
If you design your perimeter properly, even if you have a problem, it isn't shared with the rest of the world.
For Pete's sake, editors. The linked article does not mention Joomla or Wordpress at all, and the white paper mentions them only once in 23 pages, in a sentence speculating that the infection vector *may* be associated with either platform.
So the Register prints a klaxon headline beginning with "Wordpress..."
Seriously thinking of cancelling my subscription here.
Seriously thinking of cancelling my subscription here.
I saw what you did there :).
In all seriousness, though - there is nothing about WordPress and Joomla that makes them different from any other code you run on a platform - you have to stay on top of it, patch soonest and make teh effort of acting on what you see in the logs.
I review especially the 404 log carefully because it shows me trends. I can see loads of URLs coming in seeking uncontrolled access to the file system (by trying if they can read a readme.txt of common plugins) and generally trying to rattle the door by running through a list of vulnerable plugins. The latter get banned at Apache level - WP won't even see them afterwards as they go straight into .htaccess black holes, but I also look where they come from. When they come from places you can reach (US or anywhere in Europe) I look up who manages the IP range and ping the abuse email address with the log (except GoDaddy, of course, because abuse@ just goes to /dev/null as far as I can see, use csirt@ instead). Quite often, they indeed take action.
Oh, and it helps to use the most common measure to secure systems of any description: don't install what you don't need. It isn't hard.
I'm assuming that this exploit is targeting PHP rather than Linux or BSD. I think this is the future of server-based malware; easier to just write an exploit for a badly-made plug-in and leverage a powerful language rather than trying to install binaries on the machine layer. With the wide-range of plug-ins available for PHP, its not surprising to see it exploited in this way, since it can remain undetected for some as it isn't creating any suspicious processes and can hide in the massive tangle of PHP files things like WordPress are made of.
*The same thing can be said of any other similar-enough language: ASP, .net, node.js, Ruby-on-Rails, Python, etc.
Agreed, but you're too kind to PHP. The language is an unstructured mess of nifty features grafted on from real languages, wholly unfit for its sole purpose. Those other languages are merely crappy. Frontend JavaScript also plays a role here: botnets are exploiting XSS to gain admin access on WP sites.
WordPress is also egregious; I relented a few years ago and started working with it, thinking my opinion of it was too harsh... nope, it's far worse than I imagined. Why does everyone use it? It's a cult of noobs, feeding the hype cycle until they awaken, too late, to the monstrous reality of it...
The sarcasm is extremely misplaced in relation to this article. Both Windows and Linux servers would be vulnerable to the same Wordpress and/or Plugin vulnerabilities if this was the infection method. The only reason Linux is mentioned here is that the spam program is coded in Perl and hidden in an ELF binary, which would not run on a Windows box, thus the hackers only install it on pwned Linux boxen.
Can't fix stupid.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
