14 DAY TRIAL // Security researchers warn that a new wave of websites hosted at RackSpace have fallen victim to a mass injection attack, which generates unique infections.
The affected websites are WordPress-based blogs or sites hosted on accounts where WordPress is also present.
This suggests that the attack vector might be a common misconfiguration on installations of the blogging platform.
The compromised sites have malicious .js files uploaded to their subdirectories and a rogue <script> element added to their pages.
"The actual content of this file varies from site to site. Hackers definitely use some tool to automatically create differently obfuscated copy of the malicious script for every site.
"This helps against malware scanners that are searching for hardcoded malware patterns only," explains Denis Sinegubko, the creator of the Unmask Parasites Web scanner, who investigated the attack.
In the case of WordPress blogs, the polymorphic .js files are dropped directly inside the theme directory and use the name of the theme itself or default.js and main.js. Meanwhile, the <script> element loading them gets added to the theme's footer.php.
For other websites, the files are dropped in various folders like "images", "css" or "includes" and are named differently, including img.js, click.js or tool.js.
The fact that the injected code loads malicious content from two domains hosted on the same server in Russia, suggests that these infections are the result of the same campaign.
While there isn't much information available regarding the attack vector, improper permissions on critical files and directories or compromised FTP credentials, are two of the possibilities.
First of all, the permission of the wp-config.php file, which contains the database password in plain text, should be 600 or 400.
Anything else can allow neighbors to spy on it in shared hosting environments. There should also be no world-writable (777) directory on the account.
The access to theme files and folders, which are targeted in this attack, can be restricted by setting permissions to 400 and 500.
Obviously, if your website has been compromised, scan your computer for malware and immediately change the FTP and WP database passwords.
It would also be sensible to check the WP installation and database for any rogue users that might have been added.