FYI...WordPress hacks: not just NetSol and GoDaddy
May 6, 2010 - "Over the past month or so, there have been a series of ongoing compromises which have been interchangeably blamed on WordPress, Network Solutions, or GoDaddy. However, the attacks are occurring on many other hosts as well, including:
1 & 1
... and several others. While many of the compromised sites are using WordPress, some are not. The two main attacks are: (1) the Google / WordPress pharma attacks and (2) the Grepad.com family of attacks that netted Network Solutions hosted sites, some U.S. Treasury sites, and many, many popular niche 'mom and pop' style sites...
It appears the attacker is able to read wp-config.php which by necessity contains plaintext credentials for the WordPress database. Normally, wp-config.php should not be externally readable, unless the user has not properly configured file permissions. In any event, once initial access was gained, the attackers inserted or modified entries in the wp-option table for the active WordPress database. In subsequent phases (in the case of the Grepad family), the attackers modified php.ini / .htaccess, uploading malicious scripts which then embed the iframe
. At this point, the attackers have the ability to plant PHP backdoors on the compromised sites, a precedent first set by Gumblar
. The presence of the backdoor would allow continued access to the compromised sites, even after file permissions were properly configured or FTP credentials had been changed
. And if proper segregation is not done, bleed over to other sites on the same hosted share can still occur. It's worth noting that the U.S. Bureau of Engraving and Printing (bep.gov and moneyfactory.gov) were compromised in the most recent wave of the Grepad.com attacks. While neither of these sites appear to have been using WordPress, both were hosted by Network Solutions and appear to have been published with Network Solutions Website Builder