back to article WordPress under attack by whack-a-mole ad-scam malware

Sucuri threat researcher Denis Sinegubko says a "massive" advertising scam campaign is affecting users visiting WordPress sites, injecting backdoors and constantly re-infecting sites. The prolific virus-destroyer (@unmaskparasites) says writers are injecting code into all JavaScript files on a targeted WordPress sites. …

  1. DryBones

    So, how are they doing on closing the hole that's allowing it to do that?

    1. Anonymous Coward
      Anonymous Coward

      So, how are they doing on closing the hole that's allowing it to do that?

      I've already seen some WP patches fly past that address this (haven't had time to figure out where to dig up the release notes because it's not exactly made easy in WP), but if you install the "All in one WP Security" plugin and work your way through all it can do you should not have had a problem, mainly because that locks down directory and direct file access.

      I see a lot of these probes in the 404 log where sites I have not yet blacklisted seek to access URLs such as "/wp-admin/js/mssqli.php", "/wp-content/plugins/auto-attachments/a-a.css" and "/wp-content/plugins/another-wordpress-classifieds-plugin/AWPCP.po". Some of them are probes to see if they can get at least read access to the file system (by trying to read a .txt file), some of them are probes that randomly seek to activate stuff that would have been installed via any sort of breach.

      I've also removed Jetpack. I don't need it, and it's yet another route to gain admin access - that very, very, VERY old rule of only installing what you actually need is still as valid now as it was in the early days of the Internet..

      1. Anonymous Coward
        Anonymous Coward

        Release notes 4.4.2: (2 Feb 2016)

        #36435 HTTP: 0.1.2.3 is not a valid IP.

        #36444 Better validation of the URL used in HTTP redirects.

        In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1

        #35356 wp_list_comments ignores $comments parameter

        #35478 4.4 Regression on Querying for Comments by Multiple Post Fields

        #35192 Comments_clauses filter

        #35251 'networks' should be global cache group

        #35316 Images with latin extended characters in exif (slovak/czech) are missing thumbnails

        #35327 Using libsodium for random bytes breaks plugin update in WP 4.4

        #35344 Strange pagination issue on front page after 4.4.1 update

        #35355 Customizer should not try to return to the login screen

        #35361 Error in SQL syntax search page

        #35376 Default URL for emoji images should be always https

        #35378 Incorrect comment ordering when comment threading is turned off

        #35401 Taxonomies Quick Edit: prevent page reload when submitting

        #35402 per_page parameter no longer works in wp_list_comments

        #35412 ModSecurity2 blocks Potential Obfuscated Javascript in outbound anomaly

        #35419 Incorrect comment pagination when comment threading is turned off

        #35462 update_term_cache and deleting object_id

        #35447 Button to delete inactive widgets is displayed on inactive sidebars

      2. Ian 55

        I have been seeing a lot of scans for specific plugins, typically by looking for their readme.txt or similar.

        Several of these went into a fail2ban filter, and now I see a lot fewer...

        I suspect those plugins allow uploads.

        The other active searches are looking for php files in /wp-content/uploads/ somewhere you should never, ever have files executable on the server.

        (Usual reminder: no-one should install whatever 'Better WP Security' is calling itself now without a) a complete backup of files + database and b) either knowing exactly what they're doing or pockets deep enough to pay someone to fix the complete mess it can leave you in.)

  2. Alistair
    Windows

    urrr:

    WordPress. Javascript. Malware injections.

    I think Adobe's Flash has a competitor.

  3. Anonymous Coward
    Anonymous Coward

    Shared hosting and all read/ write permissions

    <quote>

    Sinegubko says the malware will infect all accessible .js files across all domains located on the same hosting account in what is known as cross-site contamination.

    </quote>

    This is only possible on really poorly set up shared hosting, or any hosting which has read write permission on the files granted to all users, it's basic good practice to isolate the ability to write on each website. It used to be common once one website was penetrated to be able to backdoor every domain and made easier by the directory naming systems.

    Legally this resulted in a headache and quite frequently having to walk away, e.g. example.com has been hacked, a backdoor is placed on example2.com but you've only been hired to clean up example.com and therefore can't legally touch example2.com or patch them or help them without permission, so example.com has to go to their web hosting provider at which point all accounts get suspended and more than once I saw businesses fold because of the threat of legal action from example2.com as dealing with the cost of the threat of being sued for lost business were prohibitive.

    I don't work in this field anymore, got too fed up with non-payment of bills, or having to explain that I'd closed a hole, removed the backdoors but because example2.com had been hacked and the way shared hosting was set up there was every likelihood that they could be hacked again, which they would then show their web hosting company and frequently it became a case of "blame the contractor".

    1. WendyIMC

      Re: Shared hosting and all read/ write permissions

      Stay away from shared hosting. You get what you pay for and if you're going cheap you'll wind up paying in the end. Like buying cheap shoes that hurt your feet better to spend the money on quality than spend hand over fist due to problems.

      1. psychonaut

        Re: Shared hosting and all read/ write permissions

        <adams> i think you'll find your feet are the wrong size for your shoes. i think i'll have the wordpress site revoked.

        revoked?

        yes, K-I-L-L-E-D revoked.

        </adams>

  4. wolfetone Silver badge

    Masses Against The Classes

    The problem with WordPress is that everyone can use it, everyone can install it, everyone can butcher it to death. Yes it's popular, but unless the web agency that built the site in WordPress has a conscience then it's more than likely the updates are handled by the website owner. That is on the assumption they know there is an issue, and that they can apply the update, and that they can fix what inevitable bugs that will appear in one or many of their 1,000 plugins that they've installed.

    I've said previously the best way around this, for those who can, is to roll your own CMS on top of a framework. I have done that in the past with Symfony, and I'm starting to do it again with newer projects, because the hassle of dealing with WordPress' bullshit just isn't worth it anymore.

    1. Anonymous Coward
      Anonymous Coward

      Re: Masses Against The Classes

      @wolfetone:

      <quote>

      unless the web agency that built the site in WordPress has a conscience

      </quote>

      They never had a conscience, just a maintenance contract and probably some legalise that makes them not liable for any breaches. I have seen "annual maintenance retainers" from development companies that obviously with zero-day's aren't worth the paper unless one's will to bet that day zero and 365 to 1 are good odds and that the CVE is published the same hour that the software is due to be checked (does not necessarily mean the software is updated under these contracts as an update could break something or require extra coding).

    2. Anonymous Coward
      Anonymous Coward

      Re: Masses Against The Classes

      Funny you mention this. I'm fighting now with the web agency that updates the content on our site. Every time they touch the site they reset all the plugin file permissions to 777, and every time I have to go in and clean up after them. Apparently they use a git repo they work from for ALL the files on the site - not just the content - and they push full updates to us whenever they feel like it. They also see nothing wrong with bouncing the site in the middle of the day. ("It was only down for a short time.")

      Clueless. And we pay huge money for this "service" as they've convinced our sales people how wonderful their work is and how we're going to get so much more business from their awesome design.

      1. wolfetone Silver badge

        Re: Masses Against The Classes

        Send your company to me, I'd do it properly.

        But yeah, I would wonder what would happen if your website was compromised due to the permissions on your site being changed or updates being applied in an insecure manner. Personally I took insurance out in case something I do causes losses for a client, I don't think this is common for web agencies at all. If your company has a solicitor I'd ask them their thoughts on that.

  5. Anonymous Coward
    Anonymous Coward

    The problem with WordPress is that everyone can use it, everyone can install it, everyone can butcher it to death. Yes it's popular, but unless the web agency that built the site in WordPress has a conscience then it's more than likely the updates are handled by the website owner. That is on the assumption they know there is an issue, and that they can apply the update, and that they can fix what inevitable bugs that will appear in one or many of their 1,000 plugins that they've installed.

    It could do with some more advice like "do not install what you don't need", but its update system is actually quite OK as plugins get picked up too. You can even automate it, although I have my reservations about that.

    I've said previously the best way around this, for those who can, is to roll your own CMS on top of a framework. I have done that in the past with Symfony, and I'm starting to do it again with newer projects, because the hassle of dealing with WordPress' bullshit just isn't worth it anymore.

    The main reason you use a public CMS instead of a DIY one is exactly because you share in bug fixing. Unless you really know what you're doing you can leave holes you won't realise until you're serving malware, porn, spam or a botnet. By using a open source CMS you defray some of that risk against volume, and you benefit from the fact that some find the volume attractive enough to develop tools for it. WP is not hard to tighten up, provided you start with a good hosting baseline (and even there, WP tools can help setting access rights correctly).

    The main reason I don't use WP much anymore is because it's too simple, I need more granular control over users, groups and content, but for a quick "let's get some basics online" site it's still one of the easier ways to go.

  6. Anonymous Coward
    Anonymous Coward

    Hosters should stop with using FTP

    I still come across ISPs who think it's perfectly acceptable to force their clients to use FTP instead of SFTP, so every time customers upload something they are exposing user ID and password.

    Frankly, I would avoid any ISP who only offers unencrypted FTP access because that's begging on your knees to get hacked. You might as well post your access credentials on Twitter.

  7. Kraggy

    You know, while Adobe rightly gets lambasted for Flash, it seems to me WP is now enemy #1 on the Internet yet its developers are never pilloried like Adobe are.

    How many scores of holes have been found in this abomination already?

    Frankly if I were looking for a new site hoster I'd try to find one who won't allow their customers to use this crapware.

    1. Anonymous Coward
      Anonymous Coward

      It's very popular and therefore worth writing naughty code for. The real problem is that many site-owners just don't keep it up to date.

    2. Anonymous Coward
      Anonymous Coward

      Nowhere close to a valid comparison. WP runs fine, works fine, is secure... when maintained properly. Can also be subject to the security of partners who create plug-ins for WP, which unfairly tars WP's rep. That can't be said for Flash. Also, I usually only have to patch one instance of WP, as opposed to 700 endpoints all using Flash. Pain points are much different.

  8. Anonymous Coward
    Anonymous Coward

    Wordpress.com

    Wonder how they are fairing today then? Even if they have sensible shared hosting without universal writing privileges there's no mention of a patch with this article. Gotta love the terms & conditions of the wordpress.com:

    <snip>You agree to indemnify and hold harmless Automattic, its contractors, and its licensors, and their respective directors, officers, employees, and agents from and against any and all claims and expenses, including attorneys’ fees, arising out of your use of our Services, including but not limited to your violation of this Agreement.</snip>

    so the website owner is responsible for everything and

    <snip>you are responsible for maintaining the security of your account and blog, and you are fully responsible for all activities that occur under the account and any other actions taken in connection with the blog. You must immediately notify Automattic of any unauthorized uses of your blog, your account, or any other breaches of security. Automattic will not be liable for any acts or omissions by you, including any damages of any kind incurred as a result of such acts or omissions.</snip>

    but yet the very first terms of service...

    You agree that we may automatically upgrade our Services, and these terms will apply to any upgrades.</snip>

    So we build it, update it, let you publish it but when you are hacked you are responsible for software that you can't modify. One would hope that wordpress.com has at least worked out the attack vector and is packet sniffing and blocking across its hosted sites.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wordpress.com

      You're talking about wordpress.com, the hosted service. From context, I believe the article is about wordpress.org (self-hosted WP installations).

      1. Anonymous Coward
        Anonymous Coward

        Re: Wordpress.com

        from

        https://en.support.wordpress.com/coming-from-self-hosted/

        it appears that wordpress.com is a distributed compatible version of that which can be downloaded from wordpress.org and that's the issue I would be concerned about with no CVE or PoC issued.

        It may be a sin to post a bing link but it does show a lot of wordpress sites assigned to the basic wordpress.com ip address

        http://www.bing.com/search?q=ip%3A192.0.78.17

  9. Anonymous Coward
    Anonymous Coward

    Does anyone know the JS code?

    Does someone have a copy of the javascript code so that I can check if we have this vulnerability? I am also installing All in One Wordpress Security at previous poster recommendation, but want to check all site js files.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does anyone know the JS code? → Wouldn't help

      Apparently the code mutates with each infection:

      The malware uses encrypted code which mutates between sites but decrypts into the same structure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does anyone know the JS code? → Wouldn't help

        Though the JS code may change, the initial upload attack vector won't. (Unless there are multiple zero day).

        So find the page being used to upload it by looking through the logs at whatever has been posted to a non-regular page whether it be in the modules directory. The content doesn't matter particularly it's closing the initial way in and then doing a simple find from the timestamp of the attack vector to check which files have changed, plus then recursively checking everything for backdoors as it's very common to put php code in images. Checking for iframes, javascript code, eval'd statements, wget, url_fopen. Once inside there are many ways to backdoor a server, and then don't also forget the database, any content stored within must also be scrutinised and the hacker will have the password so if the network connection is not limited to local of not firewalled (you can't rely on hosts in the database).

        It's quite a lot of work to recover a server once compromised and be thorough also restoring from a backup never works unless everything is deleted including all hidden files as otherwise the new backdoors are still sitting there. It is less than 30 seconds inside the server to plant all the backdoors, generally the logs are a big help because the botnet will test to check the backdoors are present before moving along.

        An unusual feature of this one is the use of subdomains so new logs may appear depending on the server's configuration. As DNS is normally set up for basic hosting so that *.example.com is pointing toward one ip address it should also be quite easy to sinkhole by altering the DNS settings. That would provide a valuable insight into what files are being requested.

  10. Mike 16

    Flash vs WP

    To be fair to WP, nobody _forces_ you (content creator) to use it for creating content, and no browser refuses to display content that isn't via WordPress. This is _starting_ to be true for Flash, but not really there yet, and for years the situation was pretty dire.

  11. WendyIMC
    Alert

    Sharing Plugins injecting ads

    I have found scripts injected through Shareaholic to PayDay loans. You never see the link because it uses CSS. More recently (this week), ad scripts loading through JetPack publicize plugin. We need better security and/or review of plugin scripts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like