In the past couple of days I’ve been involved with the cleaning up of a number of successful SQL Injection attacks on WordPress blogs, including one that was running the most recent version 2.9.1.
Then last night I read that TechCrunch was also hacked (their post on it seems to re-direct to an interstitial ad – which I’ve never seen on TC before and makes we wonder whether they are trying to put up ‘interference’ here)..
From what I can see it looks as though the vector that I have seen could also have been used to do this to TechCrunch. I don’t know what version of WordPress TechCrunch runs.
I’ve decided not to give the details who was affected or too much info about the attacks, although the two common occurances I’m seeing with all of the sites exploited are:
- They are using WP-Cache or WP-SuperCache
- They are running on the RackSpace Cloud Sites serving platform
I should state for the record that at this point I do not have any evidence that RackSpace Cloud Sites is vulnerable, I’m just noting that all of the examples I’ve seen have occurred on RackSpace Cloud Sites, and I believe TechCrunch runs on Rackspace Sites too. Conversely I’ve not heard of any non-RackSpace Cloud Sites blog having any problems, and I’ve not had any issues with my blogs either (other than a botched upgrade to 2.9.1 just now due to human error, doh!).
Although I don’t want to give out specific information, some interesting discussion is occurring on a thread of HackerNews, especially this sub-thread.
Advice
While we wait to see if/how the WordPress developer community responds to this, my only advice is to make sure all of your directories and files are locked down (chmod 700
works fine on RS Sites), and that you are running the latest version of WP & all of your plugins. You might want to keep an extra eye out if you are using RackSpace Cloud Sites (or your hosting reseller does) and make use of WP-Cache/WP-SuperCache
I remain a massive fan and supporter of WordPress.
Ben – I am happy to chat with you about RS CS – I use them on CN and have had many experiences with hacking over the past year (i’ve lost the little hair i have left) – I too don’t know if the issues are connected but in the customer forums it seems to always be a discussion.
I haven’t written specifics at any point but at some point I will. Send me an email if you’d like more info.
Hi Ben – Another Rackspace Cloud customer here and yes…recently I’ve been the victim of a few WP (plus non-WP) hack jobs.
Is it RSC localized? Unsure. But I can say WP sites I host on other servers have not been affected so far.
Same here – I have spent the last 3 days fixing and researching hacks that affected 12 different websites. 11 of those are on Rackspace Cloud. RS Cloud and wp-supercache are also very popular though, so I can’t be sure that they are actually the cause, as opposed to simply being preferred tools for the demographic that’s getting hit.
11 of the hacks – the ones on RS – involved the centiyo.com malware site and a javascript injected into the code. The one that wasn’t on RS was a dupedb.com hack that inserted a simple meta refresh.
I have more information on these if you’re interested. if you’re just making an observation, that’s okay too 🙂
If you have information about hacks, please send them to security@wordpress.org!
I seriously doubt it was wp-super-cache that caused them to be hacked. So many blogs use that plugin that there’d be a huge number of hacks happening.
Donncha – There *are* a huge number being hit though. As I said, I’ve repaired 12 in the past few days.
I’m not at all implying its WP-Supercache. I haven’t found the vector yet, partially because hosting with RS Cloud makes log file analysis a stupidly complicated, delayed process.
All 12 were running WP-Supercache – but it’s an extremely popular plugin. It’s like saying Askimet might be responsible. Everyone is running it, so of course the hacked people were, too. Correlation does not imply causation.
One thing I did notice about one of the hacked sites on the RS Cloud – the exploit planted files in the cgi-bin, and the cgi-bin on RS Cloud is one level above the web root.
/www.example.com/web/cgi-bin/
/www.example.com/web/content/
The wp-post-header.php was modified to include the contents in the cgi-bin, which contained a system file, a template.html and a content file, advertising everyone’s favorite male drug that starts with a C (obfuscated so I don’t trip Askimet’s spam filter).
That was the only one of that kind I found in the cluster of sites – the guy I was helping had about 8 that were all on the same RS Cloud account, all had been hacked. The others did a simple modification to the wp-post-header.php file that stuck in the line of obfuscated javascript.
Err, sorry – filename should have been wp-blog-header.php, not wp-post-header.php.
[…] This comes in response to a recent rash of hacks on RS hosted WordPress sites. […]
This is exactly what is happening to my site. STAY FAR AWAY FROM RACKSPACE!!!!!!!
good post! i will said many thanks for you. its very helpfull for me, i will adiing feed your blog now
This very alarming post. Thanks for this as this could be very helpful as I do WordPress sites.
Then talk to the survival expert and she will give you an axe and a tinderbox. You need to click on a tree and cut it down. You will get some logs, so click on them and then click on your tinderbox. You will make a fire. Continue the tutorial like this, and ask me questions if you want to. But unfortunately, I don’t have enough time to write all you need to do. But, I can give you a guide. Some basic things I have picked up are: Train combat on cows, fishing in lumbridge swamp, and make money from mining and selling rune essence. You can speak to various guides throughout the game, but I’ve run out of time! This can still be a “all you need to know” session, as you can ask me questions in the comments!