Slashdot Mirror

← Back to Stories (view on slashdot.org)

30K WordPress Blogs Infected With the Latest Malware Scam

Posted by Unknown on from the check-your-versions dept.

alphadogg writes with an excerpt from an article over at Network World: "Almost 30,000 WordPress blogs have been infected in a new wave of attacks orchestrated by a cybercriminal gang whose primary goal is to distribute rogue antivirus software, researchers from security firm Websense say. The attacks have resulted in over 200,000 infected pages that redirect users to websites displaying fake antivirus scans. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said."

4 of 104 comments (clear)

  1. McAfee? by Oswald+McWeany · · Score: 5, Funny

    websites displaying fake antivirus scans

    I didn't know McAfee had started targeting Web blogs now.

    --
    "That's the way to do it" - Punch
  2. Specialist ISP of Transnistria.. again. by Dynamoo · · Score: 5, Interesting
    It looks like the first step in the infection is via an IP (194.28.114.103) belonging to Specialist ISP of Transnistria. That has featured before on Slashdot in this story.

    The block 194.28.112.0/22 is simply all evil (I've documented it here in the past), there's no reason to send traffic to it at all, blocking it is a good option.

    --
    Never email donotemail@WeAreSpammers.com
  3. Re:Analysis by WankersRevenge · · Score: 5, Informative

    From the fine article:

    Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks, said David Dede, a security researcher with website integrity monitoring firm Sucuri Security. "It seems the attackers are trying everything lately."

  4. For Newbs: Steps to Fix by dgrotto · · Score: 5, Informative

    Most of my WP installs were infected because I am a slack ass. Here are the high level steps I took to solve the problem:

    • 1) Backup sites.
    • 2) Fix all world-writable directories in your WP install (what the hell WP?!). This seems to be the primary vector for getting in.
    • 3) Clean up infected PHP files with this script from php-beginners.com. Thank you Paolo.
    • 4) Inspect all .htaccess configs for errant redirects and fix.
    • 5) Install and run the timthumb vulnerability scanner. Possible secondary vector. Thank you Peter Butler!
    • 6) Update your WP install to latest and greatest.
    • 7) Remove any unused plugins and themes.
    • 8) Backup sites.

    I may be missing something - again, I'm a slackass. Anyone else have other advice for our admin-challenged friends besides "get a real software package"?

    By the way, I was trying to lock down one of my WP installs to only allow authed users access to posts. However, WP does not put the assets for post - usually in wp-content/uploads - behind the auth wall. It's just out there for the whole world to see. It was a simple fix to rewrite the .htaccess config for this directory to redirect to an auth script, but still it still shocks me how insecure this app is.