14 DAY TRIAL // Hundreds of WordPress blogs hosted on shared servers were compromised over the weekend and had malicious code injected into their pages. A detailed analysis of the affected sites uncovered instructions to hide the attack from Google's web crawler.
The obfuscated JavaScript code injected into the footer.php script was first spotted on blogs hosted at Dreamhost; however, it soon spread to other hosting companies as well. "The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places," Sucuri Security Labs, a provider of web integrity monitoring services, announced on Friday.
David Dede, a researcher with the company, explains that the injected code loads additional malicious scripts from zettapetta.com and indesignstudioinfo.com. The files on those two domains were still live at the time of writing this article and their purpose is to set a tracking cookie and redirecting visitors to a scareware landing page, which displays a fake antivirus scan. The FAKEAV variant distributed via this attack is detected by 24 out of the 41 antivirus engines on VirusTotal.
According to WPSecurityLock, a WordPress security consultancy and one of the first organizations to spot the attack, "Zencart and other php-based platforms were hit" as well. The company's experts published detailed instructions on how to manually clean an affected website, while Sucuri provides a special .php script to automatically remove the malicious code from infected pages.
There is still no clear information regarding the method of attack in this case. Go Daddy seems to put the blame on outdated versions of the applications. "The bottom line resolution is to be sure you have the most up-to-date versions of your applications within your entire hosting account," Todd Redfoot, chief information security officer at the hosting provider, told WPSecurityLock.
However, David Dede doesn't think this was the attackers' point of entry, because he encountered compromised blogs that were running the latest WordPress version. According to him, stolen FTP or blog admin passwords, a vulnerability in the WordPress blogging platform or a bug in a popular WordPress plug-in are valid possibilities.
