News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
June 18, 2013, 23:08:48
linktree cexx.org - Support Forums  >  Everything Else  >  Bitch Board
linktree Topic: WordPress hacks: not just NetSol and GoDaddy
Pages: [1]   Go Down
« previous next »
  Print  
Topic: WordPress hacks: not just NetSol and GoDaddy  (Read 814 times)
0 Members and 1 Guest are viewing this topic.
« on: May 09, 2010, 03:54:17 »
AplusWebMaster Offline
Global Moderator WWW
Karma: 501
Posts: 7374
FYI...

WordPress hacks: not just NetSol and GoDaddy
- http://blog.scansafe.com/journal/2010/5/6/wordpress-hacks-not-just-netsol-and-godaddy.html
May 6, 2010 - "Over the past month or so, there have been a series of ongoing compromises which have been interchangeably blamed on WordPress, Network Solutions, or GoDaddy. However, the attacks are occurring on many other hosts as well, including:
1 & 1
DreamHost
In2Net
Hostway
Media Temple
ServerBeach
... and several others. While many of the compromised sites are using WordPress, some are not. The two main attacks are: (1) the Google / WordPress pharma attacks and (2) the Grepad.com family of attacks that netted Network Solutions hosted sites, some U.S. Treasury sites, and many, many popular niche 'mom and pop' style sites...
It appears the attacker is able to read wp-config.php which by necessity contains plaintext credentials for the WordPress database. Normally, wp-config.php should not be externally readable, unless the user has not properly configured file permissions. In any event, once initial access was gained, the attackers inserted or modified entries in the wp-option table for the active WordPress database. In subsequent phases (in the case of the Grepad family), the attackers modified php.ini / .htaccess, uploading malicious scripts which then embed the iframe. At this point, the attackers have the ability to plant PHP backdoors on the compromised sites, a precedent first set by Gumblar. The presence of the backdoor would allow continued access to the compromised sites, even after file permissions were properly configured or FTP credentials had been changed. And if proper segregation is not done, bleed over to other sites on the same hosted share can still occur. It's worth noting that the U.S. Bureau of Engraving and Printing (bep.gov and moneyfactory.gov) were compromised in the most recent wave of the Grepad.com attacks. While neither of these sites appear to have been using WordPress, both were hosted by Network Solutions and appear to have been published with Network Solutions Website Builder."

 Sad Evil or Very Mad
Logged
This machine has no brain.
....... Use your own.
Browser check for updates here.
.
 
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 0.124 seconds with 19 queries.