homepage Welcome to WebmasterWorld Guest from 54.211.7.174
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
WordPress Attacked With Cloaking Malware
Googlebot Doesn't Detect Malicious Intrusion
incrediBILL




msg:4134451
 3:19 am on May 18, 2010 (gmt 0)

Here we go again with WordPress being the target of a massive infiltration.

While the attack initially appeared to be limited to web sites hosted by American ISP DreamHost, it has since become apparent that blogs hosted at GoDaddy, Bluehost and Media Temple have also been affected.

[h-online.com...]

The best part is that the malware is now cloaking it's presence to avoid Google's Safe Browsing API!

Do You Feel Lucky?

 

tradewinds




msg:4134572
 9:02 am on May 18, 2010 (gmt 0)

I am very much with incrediBILL on WordPress; I kind of see it as driving a family sedan in a battle zone.

To prevent potential headaches and risks, I had been cracking my brain trying to find a flexible but secure method of managing content that's self-hosted, and came to the conclusion that if you want a blog then perhaps it's best to use desktop publishing applications. No scripts or databases used; updates are made straight through sftp. Sure you might lose some functionality/flexibility, but depending on your needs this could be the most secure solution possible since your blog will ONLY consist of pure html files.

ken_b




msg:4134679
 1:42 pm on May 18, 2010 (gmt 0)

I think my seldom used blog, hosted on Netsol, has been a victim of this. It has the suspect block of code at the top of very source file.

But I haven't gotten any alerts from AVG, or FF. The blog is the latest version, but I just updated it the other day and don't know when this hack happened.

I also don't know what to look for on my computer to see if it has been infected/affected.

And how do I get rid of this thing if it's on my machine.

incrediBILL




msg:4134683
 1:50 pm on May 18, 2010 (gmt 0)

No scripts or databases used; updates are made straight through sftp. Sure you might lose some functionality/flexibility, but depending on your needs this could be the most secure solution possible since your blog will ONLY consist of pure html files.

They have had this for years, it's called BLOGGER.

It will post directly to an FTP site.

But I haven't gotten any alerts from AVG, or FF.

You might not because this is so new AVG won't know anything about it and FF won't alert you because as the report says, the safe surf API is being defeated with cloaking.

The real irony here is that the malware appears to have gotten smarter than WordPress.

g1smd




msg:4134719
 3:07 pm on May 18, 2010 (gmt 0)

I've recently been told the same exploit code is also appearing on ZenCart sites on at least GoDaddy; the commonality being PHP here.

ken_b




msg:4134740
 3:41 pm on May 18, 2010 (gmt 0)

So how do we deal with this thing?

incrediBILL




msg:4134827
 6:16 pm on May 18, 2010 (gmt 0)

I've recently been told the same exploit code is also appearing on ZenCart sites on at least GoDaddy; the commonality being PHP here.


I thought it was suspected but not proven yet?

Go60Guy




msg:4134834
 6:25 pm on May 18, 2010 (gmt 0)

Always, the first impulse is to blame WordPress. And, I'm not saying it's blameless. But the article does mention that it doesn't appear the "hole" originated with WordPress. Sites on certain hosts are infected. So far my WP sites are OK. I'm on a VPS.

Also, there are reports that sites other than those on the WP platform are being infected. At the risk of violating the WebmasterWorld TOS, this site purports to have a cleanup:

[blog.sucuri.net...]

kevsta




msg:4134873
 7:35 pm on May 18, 2010 (gmt 0)

this is a Godaddy, not WP issue, without a shadow of a doubt.

this is the 4th time in 3 weeks, the same sets of servers and hosting packages, and far from only WP, many different types of websites are done every time, meanwhile other WP sites on the same hosting but different packages or servers still have old outdated WP versions & plugins and are untouched.

I think a Godaddy machine/s are seriously compromised, the hacker has a back door or something and can rehack all the same sites at will.

they are utterly hopeless.

J_RaD




msg:4134883
 7:53 pm on May 18, 2010 (gmt 0)


No scripts or databases used; updates are made straight through sftp. Sure you might lose some functionality/flexibility, but depending on your needs this could be the most secure solution possible since your blog will ONLY consist of pure html files.

very interested, names please!

besides googles blogger, which no longer posts to your own FTP site :-( I guees google didn't like you having your own content.

bwnbwn




msg:4134892
 8:10 pm on May 18, 2010 (gmt 0)

J_RaD I think your mistaken a little on blogger. True you can't ftp now but the content is on your site or subdomain. It is the same as ftp but now real time I like it much better myself and for the most part it is more secure.
All the archives are still on my site as well as all the content the only part not on my site content is comments as it was before.

incrediBILL




msg:4134935
 9:05 pm on May 18, 2010 (gmt 0)

Without going too far off topic - Blogger appears to have stopped supporting FTP publish just this month!

We will no longer support FTP publishing in Blogger after May 1, 2010

[google.com...]

Oh well.

Still, the best option for WordPress IMO, if you must use it, is to use WordPress.com to host it themselves.

I still think the big news in this story is that the hackers are now cloaking malicious content to avoid the automated tools attempting to find the malware.

If the hackers are successful and thwart Google's Safe Browsing, McAfee's Site Advisor, and other similar attempts to sanitize the web, we're most likely to see a sudden surge in infected machines.

Not good.

koan




msg:4134938
 9:19 pm on May 18, 2010 (gmt 0)

It's not just Wordpress, I had a few basic sites hosted on Godaddy with php files that were infected (not using any 3rd party softwares like Joomla or Wordpress), from various clients. The only common points were: php files and Godaddy.

I contacted their support to notify them of their vulnerability after I cleaned the sites, but they still cling to their "upgrade your 3rd party software" solution even though I didn't even use any in those instances.

The exploit uses cookies so it doesn't show up twice to the same user (or search engines) so some may think it is fixed when it is not.

tradewinds




msg:4135087
 3:53 am on May 19, 2010 (gmt 0)

very interested, names please!

Don't mean to hijack this thread, but AFAIK there's only one desktop blog publishing application that doesn't require a third-party blogging service (ie creates and upload html files by itself) and it's a freeware called thingamablog. I think most other desktop blog publishing software like Windows Live Writer require you to have an account with Windows Live Spaces, Blogger, Wordpress.com etc.

The advantage of this is that there's no danger of losing the software to manage your blog, which is what happened with blogger.

kevsta




msg:4135137
 6:46 am on May 19, 2010 (gmt 0)

Koan, yes theyre just utterly useless aren't they?

despite overwhelming evidence of multiple different types of sites affected, and the only common denominator being them, they're still trying to get away with blaming WP.

lame.

ChanandlerBong




msg:4135412
 4:22 pm on May 19, 2010 (gmt 0)

I think a title change to this thread should be considered, especially as Word Press's reputation is getting a trashing with this being a front page thread.

incrediBILL




msg:4135443
 4:56 pm on May 19, 2010 (gmt 0)

Word Press's reputation is getting a trashing


That ship has already sailed with their repeated hackings over the years.

Even if WordPress isn't at fault, it's been at fault so many times you can't blame the hosts for pointing fingers at it.

While it may or may not be WordPress allowing the infection to occur, it's still WordPress blogs being infected with cloaking malware therefore the title is accurate.

jgold454




msg:4135532
 8:08 pm on May 19, 2010 (gmt 0)

what is the best way to tell if a site has been affected?

moltar




msg:4135737
 6:50 am on May 20, 2010 (gmt 0)

You just need to make sure that you remove the footprint that WordPress leaves. I think that'd cut it down dramatically. I dunno how complex this viruses are, but judging from past experiences, they simply find new victims by searching "powered by wordpress".

filbiz




msg:4135744
 6:59 am on May 20, 2010 (gmt 0)

what is the best way to tell if a site has been affected?

Checking your indexed pages in the search engine like Google is a good start. When my blog was hacked a year ago the hacker injected p-o-r-n links and keywords so all my traffic went down the drain. Check your stats. If there are some weird things happening then I might suspect that it was hacked.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved