begood Posted May 8, 2010 Report Posted May 8, 2010 Update 2: Simple clean up solution: Sucuri Security: Simple cleanup solution for the latest Wordpress hackUpdate 1: Note that we are not blaming Wordpress here. I am assuming that if the problem was on Wordpress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server.We are seeing multiple reports today of Wordpress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places.So, it doesn't look like something specific to a hosting company. The only thing in similar is that all of them are on shared servers.All those sites had this javascript added to their pages:http://www.indesignstudioinfo.com/ls.phphttp://zettapetta.com/js.phpWhich came from a long base64 encoded string added to their footer.php file (or on all the PHP files in some cases).You can get more information about the encoded string here (and the final decoded code): Sucuri SecurityOne thing very interesting that is becoming a trend is that the malware is also hiding from Google. This causes the site to do not get blacklisted, making it harder for the owner to notice.People are talking on the forums already:WordPress › Support 2.9.2 site hackedhttp://www.webhostingtalk.com/showthread.p..http://collabtive.o-dyn.de/forum/view..How are they getting hacked? We have no clue yet... We can only restrict to a few issues:Stolen FTP/WP passwordBug on WordpressBug on some Wordpress pluginBrute force attack against the passwordsSend us more information if you know something.The guys from WP security lock did a good thread on the issue. You can read hereSucuri Security: New attack today against Wordpress Quote
