Webmasters should check their subfolders more often for signs of an intrusion

May 18, 2012 08:38 GMT  ·  By

Security experts have found that a number of compromised WordPress and Joomla websites are used by spammers to advertise shady slimming pills and counterfeit luxury goods. The worst part is that the owners of these sites are most likely unaware of what’s going on.

Webmasters often fail to check their websites’ subdirectories for signs of malicious files and webpages, thus allowing cybercriminals to use the domain’s reputation to host their scams, Unmask Parasites reports.

Attackers often brute-force the admin passwords to gain access to a website’s backend. Once they’ve gained access, they inject a web shell into an existing plugin by utilizing the Theme Editor.

The web shell is leveraged to create a subfolder to which a WordPress installation package is uploaded. After obtaining the MySQL credentials from the wp-config.php or configuration.php files, depending on whether the site is Joomla or WordPress-based, the attacker is able to install his own theme and make a fully operational website.

These sites actually represent “doorways” that point unsuspecting visitors to malicious domains.

Experts discovered around 3,000 compromised websites that stored such doorway blogs. Reportedly, some of the blogs that advertise slimming and luxury goods were created in March 2012, but there were a few created a year ago.

Even more worrying is the fact that the hijacked sites don’t host only such doorway blogs, but also phishing pages that try to dupe internauts into handing over their online banking credentials and other sensitive information.

Webmasters are advised to keep in mind that their assets can always tempt cybercriminals and that’s why they must follow a number of basic rules to prevent unfortunate situations.

First of all, they must ensure that their systems are guarded by strong passwords that can’t be cracked by using brute-force attacks. Secondly, any changes made to the file system must be carefully monitored.

Google can also help to identify malicious third-party pages since usually they’re indexed, making them visible in simple searches. Google Webmaster Tools can also come in handy, since it can easily reveal if a shady-looking webpage records a lot of traffic.