A mass compromise has been reported by users of the blogging platform WordPress.
Web hosting provider Network Solutions said that it was investigating the attacks, and posted an update claiming that it had put a fix in place that addresses the root cause and recommended users log into their account to change their administrative passwords after database passwords were changed.
Trend Micro reported that some users were hit with an attack that modifies a setting within the application that contains the URL of a blog. It said that on compromised sites, the setting is changed to point to a malicious website which redirects all would-be blog readers to the said website, which contains scripts leading to a malicious file detected by Trend Micro as TROJ_BUZUS.ZYX.
This in turn leads into an infection chain that leads to various malware, including a rogue anti-virus that was already detected by Trend Micro as TROJ_FAKEAV.ZZY.
Techcocktail.com reported that WordPress had been hacked; with blogger Frank Gruber claiming that even sites that were running the latest, most up-to-date version (2.9.2) were being hit.
He echoed Trend Micro's claims on the addition of a new file in a user's scripts, and the insertion of an iFrame that calls a malicious third party site. He recommended affected users help the WordPress team by figuring out where the vulnerability might be by collating a list of which plug-ins they are running, what version of WordPress they were running, what theme they were using, who their hosting provider is and a list of any other applications installed on their account.
David Dede, a security expert from Brazil who maintains the blog Sucuri Security, said: “What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing it does is to modify your ‘siteurl' inside the ‘wp-option' table to point to http://networkads.net/grep/, breaking the site layout completely.”