Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Hacks Behind Surging Neutrino EK Traffic

Posted by timothy on from the downside-to-widespread dept.

msm1267 writes: More than 2,000 websites running WordPress have been compromised and are responsible for a surge this week in traffic from the Neutrino Exploit Kit. Attacks against sites running older versions of the content management system, 4.2 and earlier, were spotted by Zscaler. Those sites are backdoored and redirect a victim's browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits. The exploits generally target Internet Explorer, Zscaler said, and victims' computers are eventually infected with CryptoWall 3.0 ransomware. This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.

51 comments

  1. Must be a Linux App by Anonymous Coward · · Score: 0

    What else?

  2. WordPress is a security problem by mwvdlee · · Score: 5, Insightful

    WordPress is a security problem

    I know I'm going to catch flak for this.

    WordPress and all of it's plugins and themes are a huge target for hackers and reliably available online.
    The main problem is that users don't regularly update, or rather that they can't in many cases.
    That is, assuming the plugins are updated for security holes at all.

    I wouldn't be surprised if hackers had databases of the exact versions, plugins and themes of millions of WordPress installations.
    Just wait for a new public disclosure, replicate the exploit and attack the matching sites in your database.
    They could have hundreds of freshly hacked WP sites every week.
    These sites may only stay hacked for a few days or weeks, but it's simple economics.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:WordPress is a security problem by Gavagai80 · · Score: 2

      They don't bother with such databases, they just query every site they can reach with a wordpress hack attempt whether it has a wordpress on it or not. After unsuccessfully attacking a few million sites, they gain a few thousand new hacked sites.

      --
      This space intentionally left blank
    2. Re:WordPress is a security problem by John+Bokma · · Score: 3, Insightful

      4.2 is considered older in the summary. According to Wikipedia: "4.2 (Powell) 23 April 2015". I doubt many people update each and every time.

      By the way, I just don't get:

      mysql> GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname" IDENTIFIED BY "password";

      WordPress is not the only software to do this. And MySQL does support multiple users, each with different rights. I don't get it why a visitor of a website accesses indirectly the database with rights to drop all tables, modify all tables ...

      --

      Perl Programmer for hire
    3. Re:WordPress is a security problem by Dracos · · Score: 0

      Yes, WP is a security problem, but the problem isn't the end users, or even the site owners. It's the general low quality of development skill that the WP ecosystem thrives on. The WP codebase is laughable crap, but makes it easy for entry-level, self-described developers to get something done, although without understanding the ramifications of the sloppy way they did it. They learn such sloppiness from the WP core itself, plugins, or the plethora of half-assed tutorials written by people who have only a fraction more clue about code and security than they do. WP culture is a feeding frenzy of ineptitude. The core was lousy when it was first released, and the dev team's adamant refusal to break backwards compatibility keeps a surprising portion of the internet at risk.

      PHP4 is long gone, but WP core still has over 2000 instances of the global keyword. Only a language as poorly designed as PHP (but which has made tremendous improvements in recent years) could allow garbage like WP to thrive.

    4. Re:WordPress is a security problem by Anonymous Coward · · Score: 0, Troll

      The main problem is that users don't regularly update

      That's victim blaming. The actual problem is that practically all software is shit. As an industry, we make almost exclusively defective products. And I don't mean the inevitable bug that escaped despite diligent design, careful implementation and thorough quality management. I mean that software is generally so shoddy that we wouldn't let people live in it if it were a house. Software that is at best in prototype stage is foisted on end users, and then we have the gall to blame people for not updating.

    5. Re:WordPress is a security problem by Zedrick · · Score: 1

      > I doubt many people update each and every time.

      They don't have to, Wordpress updates itself by default. Most Wordpress-sites are hacked through plugins like Revslider (lots of people are still running that old version from early 2014) - usually pirated premium plugins (or themes).

    6. Re:WordPress is a security problem by phantomfive · · Score: 1

      This is exactly what I came to say. If you are running Word Press, start a contingency plan now, because you are going to be hacked.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:WordPress is a security problem by phantomfive · · Score: 1

      That's victim blaming.

      You're right, you shouldn't have to update. Use an old version! Don't conform! Don't let the man tell you what to do!
      I'm not going to blame the victim, but if you don't update, you're still going to get hacked.

      --
      "First they came for the slanderers and i said nothing."
    8. Re:WordPress is a security problem by John+Bokma · · Score: 1
      https://threatpost.com/wordpre...

      The vulnerability affected the core WordPress engine in versions 4.2 and earlier, a rarity among the constant parade of serious security issues affecting plugins for the content management platform. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed

      Ugh...

      --

      Perl Programmer for hire
    9. Re:WordPress is a security problem by Anonymous Coward · · Score: 0

      Which is why I use wp-cli on my server to make sure all WP installations are updated, and all plugins are updated.

      I told my friend, who does the Web Development, that I would rather make his life miserable and ruin the design temporarily than have the server compromised in any way. In case there is a major problem, I have SQL database and htdocs backups to restore at a moments notice.

      I don't know if it's the right thing to do, but I do it anyway.

    10. Re:WordPress is a security problem by Anonymous Coward · · Score: 0

      You should update, especially if you use a pile of shit like Wordpress. Updating makes getting hacked less likely. But "Mwvdlee" called it "the main problem" that users don't update their software. That's an absurd inversion of responsibility.

    11. Re:WordPress is a security problem by DNS-and-BIND · · Score: 2

      You CANNOT upgrade Wordpress every time there's a change. Doing so breaks your plugins, and these are not often updated. A Wordpress site with no plugins is a weak piece of garbage.

      It took me a long time to realize that Wordpress isn't actually a software package like other software packages. It's meant to be a framework upon which you do your own coding. If you just care about a website and screw the coding, like most WP users, then you're shit-out-of-luck.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    12. Re:WordPress is a security problem by Lennie · · Score: 2

      This why the Internet Of Things people keep talking about is going to be so awesome ! ;-)

      Lot's of products are failing and it's going to get a whole lot worse soon:
      https://www.youtube.com/watch?...

      Cars are my 'favorite' topic right now:
      http://www.wired.com/2015/07/g...
      http://www.wired.com/2015/07/h...
      http://www.bbc.com/news/techno...
      https://www.youtube.com/watch?...
      etc.

      They were already warned about the problems in 2011, there was a talk at Usenix conference about it:
      https://www.youtube.com/watch?...

      They did say: business models are a problem.

      So maybe that's the cause.

      --
      New things are always on the horizon
    13. Re:WordPress is a security problem by drinkypoo · · Score: 1

      The main problem is that users don't regularly update

      That's victim blaming.

      If you volunteer to become a victim, you deserve to share the blame when you are. It doesn't mean we should let people off for what they do, it does mean that someone should explain where you went wrong to you.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    14. Re:WordPress is a security problem by Anonymous Coward · · Score: 0

      You think the problem with WP is the use of the global keyword (still allowed in PHP 5)?? Or are you referring to superglobals that cause so much pain? WP became unmanageable bloatware a long time ago to try to please everyone. PHP just happens to be the best web language to write frameworks in because it's both flexible enough and "meta" enough to do just that, but the quality of the framework is up to the developers.

    15. Re:WordPress is a security problem by 0100010001010011 · · Score: 1

      I moved to Nikola. It's a static site generator written in python.

      All of my posts / pages are written in markdown or restructured text.

      It's easy to integrate with github pages.

      It's static.

    16. Re:WordPress is a security problem by mwvdlee · · Score: 1

      And, sadly, it's impossible to use for somebody barely technical enough to order an overpriced preinstalled WordPress site from a hosting provider.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    17. Re:WordPress is a security problem by Anonymous Coward · · Score: 0

      You're a gasbag. Quit espousing opinion as fact, you fuckwit.

      Whereas "You're a gasbag" is not an opinion espoused as fact?

    18. Re:WordPress is a security problem by phantomfive · · Score: 1

      But "Mwvdlee" called it "the main problem" that users don't update their software

      That's true, the main problem was using Wordpress in the first place.

      --
      "First they came for the slanderers and i said nothing."
    19. Re:WordPress is a security problem by l0n3s0m3phr34k · · Score: 1

      My base install does NOT auto-update automatically. It notifies me via email. As Wordpress is presented as a GUI-driven system, modifying config files by hand in a text editor to get auto-update working is a negative for qualifying as "default". Installing a plug-in to get auto-update working isn't considered "default" either. I've looked through the GUI and see no mention of enabling auto-updates, nor see any references to this being "by default".

    20. Re:WordPress is a security problem by 0100010001010011 · · Score: 1

      GitHub pages is near idiot proof, even with your own domain.

    21. Re:WordPress is a security problem by l0n3s0m3phr34k · · Score: 1

      And your suggestion for an alternative is what? Drupal? Sharepoint? I don't know of any other free content management systems with Wordpress's functionality...but that's not my area of expertise anyway. I've only ran Wordpress and Drupal as my hobby CMS, and at work we only use Sharepoint. I'm open to suggestions though!

    22. Re: WordPress is a security problem by Anonymous Coward · · Score: 0

      Maybe you should look around a little more. I believe they just enabled this function in 4.0.

      It is fairly new but it does exist because I turn it on and off depending on the site.

    23. Re: WordPress is a security problem by Zaiff+Urgulbunger · · Score: 1

      I have a dev WordPress install running on localhost which hasn't been updated in a while - I just tried that site, and I get a page saying something like "site maintenance being performed - please try again in a minute", and sure enough, it worked shortly after.

      I got an email from it saying it had updated to 4.2.4, but that 4.3 was also now available.

      So it seems minor updates get auto-updated, but not major updates. Which is fair enough... but I don't know how long older releases get security patches for.

    24. Re:WordPress is a security problem by Anonymous Coward · · Score: 1

      GitHub pages is near idiot proof, even with your own domain.

      Challenge accepted!

    25. Re:WordPress is a security problem by Dracos · · Score: 1

      Drupal is just as free as WP, so is Cake, CodeIgniter, Laravel, and dozens of others. WP brings less to the table than any of those, but it does bring being an easy target.

    26. Re:WordPress is a security problem by thegarbz · · Score: 1

      Wordpress is simple enough to understand by computer illiterate people which is why it is pushed to the "my first blog" crowd. Unfortunately dumbing down the design is part of what makes it such a convenient target. The dozens of others do not offer a CMS for someone who doesn't know what CMS stands for.

  3. If PHP is a fractal of bad design ... by John+Bokma · · Score: 1

    ... then Wordpress is a Menger Sponge.

    --

    Perl Programmer for hire
    1. Re:If PHP is a fractal of bad design ... by Anonymous Coward · · Score: 0

      ... and you are a COW!!!

  4. Please teach us how to protect ourselves by Anonymous Coward · · Score: 0

    Most of the net users do not know how to protect themselves from those malicious attacks, and unfortunately TFA doesn't give out info to its readers on how to protect themselves either

    So ...
     
    Can anyone here please share with us in what way we can protect ourselves from being infected with those malwares/ransomwares?

    Thanks !

    1. Re:Please teach us how to protect ourselves by mpol · · Score: 2

      You only need this if you use WordPress on a public website ofcourse...

      Make sure to have an uptodate WordPress install. That means that the current major version of 4.3 is okay, but also the minor security update of 4.2.4 (which is an update for 4.2), or even 3.7.10 (which is an update for 3.7).
      Any major version before 3.7 is not supported and a security risk.

      About plugins, only use plugins that are maintained, and use the latest version from the author.
      If you use plugins that haven't had an update in a year or even in 2 years, check if the maintainer is still active, and plan to switch to something else.

      If you use commercial plugins, stay away from illegal downloads. They will have malware inside them.
      Only use commercial plugins in their current version, and keep them updated (which mostly means, pay your yearly fee).

      If you are a developer that builds websites for customers, you will have customers that won't click on Update. You could consider offering a service where you update the software regularly for a reasonale fee.

      --

      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
    2. Re:Please teach us how to protect ourselves by John+Bokma · · Score: 1

      I think the question is: "how can we protect ourselves from getting infected by hacked Wordpress sites".

      --

      Perl Programmer for hire
    3. Re:Please teach us how to protect ourselves by mpol · · Score: 1

      If that is the question, then it's just the same as any other hacked website or ad network.

      --

      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
    4. Re:Please teach us how to protect ourselves by Anonymous Coward · · Score: 0

      Well, in this case, you simply switch your browser from IE.

    5. Re:Please teach us how to protect ourselves by Zumbs · · Score: 2

      Can anyone here please share with us in what way we can protect ourselves from being infected with those malwares/ransomwares?

      The summary notes that the criminals use a Flash exploit and target Internet Explorer. So, a good guess would be to uninstall Flash and stop using Internet Explorer. If that is too grand a step, you could go for a Flash block addon for your browser, so you get to choose if Flash is allowed to run.

      --
      The truth may be out there, but lies are inside your head
  5. Lol wat by Anonymous Coward · · Score: 0

    Wordpress sucks.

  6. WordPress Flash exploit .. by nickweller · · Score: 1

    "Those sites are backdoored and redirect a victim’s browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits."

    But can only be successfully exploited on Microsoft windows ..

    1. Re:WordPress Flash exploit .. by Anonymous Coward · · Score: 0

      ...which is why I set all my browsers to "click to enable Flash" months ago. Sure, it makes Youtube more annoying (I use Seamonkey, which is currently a few Firefox releases behind with its Gecko core, so YT doesn't want to use HTML5 video), but I don't have to worry about being pwned via that crap which is mostly used to deliver ads these days.

    2. Re: WordPress Flash exploit .. by Anonymous Coward · · Score: 0

      Windows? What's that?

    3. Re:WordPress Flash exploit .. by drinkypoo · · Score: 1

      But can only be successfully exploited on Microsoft windows ..

      Oh, only on the world's most popular desktop operating system? No worries then.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:WordPress Flash exploit .. by l0n3s0m3phr34k · · Score: 1

      I feel it makes Youtube BETTER. It may take an extra click, but keeping it from autoplaying ads, skipping forward, etc is worth Flash-blocking on it too. Even CNN and other major sites are better with Flash click-enabled on them.

  7. WP Foundation Development Model Adds to Problem by NaCh0 · · Score: 1

    WordPress as a platform targets the easy-to-use market and thus has a lot of site admins who are not savvy IT people. The auto-update system built into WordPress addressed a large part of the security problem, namely people who don't actively update their software.

    One glaring shortcoming to the WordPress development model is that they don't keep a set of stable releases. The WP core group wants you to stay on the most recent head version to be secure. In practice they have patched previous releases going all the way back to 3.8 but you definitely get the feeling that this is a half-hearted stop gap while they brow-beat you up to the head version.

    Linux distros went through this growing pain 15 years ago with the introduction of enterprise distributions. It is about time that the WordPress foundation recognize that they are no longer a small time blog package. They need to introduce long term supported releases for the stability of their platform.

    1. Re:WP Foundation Development Model Adds to Problem by drinkypoo · · Score: 1

      It is about time that the WordPress foundation recognize that they are no longer a small time blog package. They need to introduce long term supported releases for the stability of their platform.

      Why? What's wrong with updating? Basic users aren't using internal APIs, so they don't have a problem if they update a module.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:WP Foundation Development Model Adds to Problem by l0n3s0m3phr34k · · Score: 1

      "defining constants in wp-config.php, or adding filters using a Plugin. " is NOT considered a GUI-based "default". As far as I can tell, there is no area inside the GUI to enable this, without installing a plugin. That too shouldn't be considered "default". It needs to be in the core GUI, right on the Dashboard "Enable auto updating?" and enabled by default on all deployments. Forcing users to edit a php file on a server isn't a good policy, nor is requiring a plug in. All major operating systems and software puts this right out in the open and doesn't make me edit INI / PHP files.

      It took a coming together of RH, VMWare, and Novel to push Linux into the "enterprise" on a serious level. Wordpress has a long way to go, especially if auto updating (and other features) are hidden like this.

  8. WP has impressive security. (I'm not joking) by Qbertino · · Score: 0

    I've done a massive amount of deployments with various PHP based web-CMSes, mostly Joomla and Wordpress. And while they're all built on ancient hacks of incredibly crappy architecture and application models, the type that lets you stand back in awe and amazement vis-a-vis the utter shittyness of each of these webapp-hodgepodge behemoths, I like WordPress the best, because at least I don't feel dirty when building a quick hack with it *and* I actually *can* build a quick hack with it.. Unlike, for instance, Typo3, which is truely FUBARed.

    WP is an entire hack in itself - sort of like an extension of the non-existant PHP philosophy it's built with.

    However, as for the WP security record, I am honestly suprised how good it is. And before you start laughing, keep in mind that there are an estimated 50 million actively used installs of WordPress running on the web, with more than 80 million in total.

    Yes there are security updated every odd month, yes the plugins are a mess and yes the people deveoping for and with WP and building extensions for it couldn't code a proper class if their life depended on it. And they should be prohibited by law to approach a keyboard. But they do get the job done and it's exactly for that very reason that I'm suprised how well the core team keeps up with stuffing the most prominent and dangerous holes, often before anybody else discovers them.

    I'm quite certain this hole will be plugged in the next few days aswell.

    Bottom line:
    Measured by it's install base, WordPress security actually is quite impressive. There is no other WebCMS with such a marketshare out there and I doubt any other product would be measurably safer. ... My 2 cents.

    --
    We suffer more in our imagination than in reality. - Seneca
  9. How Does One Test For Such An Issue? by LifesABeach · · Score: 1

    OK, so I've got a WordPress site, how can I test to see is this crud is on my site, even though I'm on 4.3?

    1. Re:How Does One Test For Such An Issue? by Anonymous Coward · · Score: 0

      https://sitecheck.sucuri.net/ is a good start.

  10. So much hate by ganiman · · Score: 1

    The Wordpress hate here is hilarious. So much obvious anger. Get over yourselves. All of the hate for Wordpress can be compared to ruling in favor of same sex marriages. All of the right wing nut jobs are screaming about how it affects them and how it's so bad, as if someone were going to force them in to a same sex marriage. No one is forcing anyone to use Wordpress either - it's easy and opens operating a web site to a very large number of people. That is a wonderful thing, not a bad thing. If you don't like it, fine, no one cares. If you believe your site is some how more secure for not using it, or using some alternative, good for you, pat yourself on the back. The truth is, every piece of software ever written has potential for security holes, which may need to be patched. And even using "the most secure" software on the planet is only as secure as the people using it. Wordpress is no different. It definitely has its uses. Arguing about it is like arguing about religion.

    --
    geek n performer who performs morbid or disgusting acts, as biting off the head of a live chicken