 Stem BoltAka Smiling BobPremium
join:2002-11-08
Cleveland, OH
kudos:2 | Massive Compromise of WordPress-based Sites »labs.m86security.com/2012/01/mas···2%80%99/
quote:
A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit. Its logs show that users from at least four hundred compromised sites were redirected to Phoenix exploit pages.
|
|
| Not that massive. There are many millions of self hosted Wordpress sites and compromises are very common. There are a variety of attack vectors to which it can be subjected... insecure Wordpress versions, insecure plugins, insecure hosting configurations, weak passwords...
--
Scott Brown Consulting |
|
 therube
join:2004-11-11
Randallstown, MD | reply to Stem Bolt
Here's one from the list for those interested:
view-source:h ttp://justinfreidmedia.com/wp-content/uploads/bhhyk.htm
If those stats are accurate, they've got a pretty good percentage going.
And of that, the majority is from MDAC (MS Data Access Components), Java & PDF exploits. (Far less from Flash). |
|
 trparkyApple... YUMPremium,MVM
join:2000-05-24
Cleveland, OH
kudos:1
 ·Time Warner Cable
 ·Time Warner VOIP
 ·AT&T U-Verse
| Does anyone know how this exploit works?
I'm involved in a group online that has built a sort of Intrusion Detection System for PHP scripts (ZBBlock) that can be included into any PHP-driven web site with one single line of code. To detects attacks using a series of intrusion detection signatures looking for obvious methods to attack web sites. It has been very successful in blocking even the most sophisticated attacks, including SQL Injection, Cross-Site Scripting, remote code injection, etc.
I'd like to know how the attack works so I can devise an attack signature to block the exploit from occurring. Not just for WordPress but possible other CMS's written in PHP.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | Droid Charge TweakStock by dwitherell |
|
| I do not believe there has been an arbitrary file upload vulnerability in any Wordpress version in quite a while, since several versions prior to 3.2.1, so whatever the means of privilege escalation was it must have fallen into one of the other categories. The article linked by OP does not really discuss that part and is more interested in the exploit bundle.
--
Scott Brown Consulting |
|
 Smith6612Premium,MVM
join:2008-02-01
North Tonawanda, NY
kudos:21
 ·Frontier Communi..
·Verizon Online DSL
| reply to Stem Bolt
Version 3.2.1 is rather old. I'm already running the most up to date version of the software on my own server. In the past few days I have seen a lot of randomly chosen URLs hitting the Wordpress install, all returning back as Error 404 according to nginx, but they've had yet to tamper with anything related to the software. |
|
 caffeinatorComing soon to a cup near you..Premium
join:2005-01-16
WA, USA
kudos:3
·CenturyLink
| reply to Stem Bolt
Hmm, I have a test blog that's not really used....no registering allowed and have SI Captcha and Akismet installed just because.
It was running 3.2.1 but wasn't effected. Just upgraded everything to latest anyways.
FWIW, it wasn't running on a Windows server. 
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages |
|
|
|
