Search This Blog

Showing posts with label WordPress hacks. Show all posts

Wordpress Websites Compromised; Injected With JavaScript Code

A recent decision from Google to prohibit technical support advertisements from unverified operators leads to the trading off of thousands of Wordpress websites on the while being injected with JavaScript code that side-tracks users to these technical support scam pages.

Jérôme Segura of Malwarebytes was the one who pinned the attacks as they began in early September. He observed a substantial encoded ad spot, usually in the HTML header, or one line of code indicating the external JavaScript code.

The code in the HTML header would deobfuscate to something like this:

Attackers utilize the technique in order to imitate the practices of lawful organizations and use a legit advertisement platform for the promotion of their technical support services, which additionally paints them as reliable according to the potential victim.

The as of late observed attacks take after the classic formula to persuade users to call for technical support: a divert to a page demonstrating a notice about viruses running uncontrolled on the PC, and an advantageous toll-free support phone number.

Segura while talking with the Bleeping Computer says that, "We are  pushing ads for some geolocations and user agents, we’ve also seen campaigns designed to redirect to websites that inject the CoinHive JavaScript miner, allowing the attacker to spend the resources of users' computers to mint Monero cryptocurrency for as long as the compromised page is opened.”

A few sites apart from Malwarebytes have also likewise recognized the compromised 'wp_posts' table of the WordPress database, which stores all the content posts, pages, and their corrections, alongside navigation menu item, media records, and substance utilized by plugins.

WordPress Automatic update won't help in cleaning malicious files

Cyber criminals compromise more than 1000 wordpress websites and modified the Automatic update features , redirect visitors to malicious sites,e-commerce sites or low quality PPC search result aggregators.

Hackers managed to compromise the 'wp-admin/includes/update.php' file and modified the 'wp_update_core' ,which is used by the WordPress Automatic Update feature.

 This function checks for available updates ,downloads new files and replace the old files in order to complete wordpress upgrades. When malicious code in the 'wp_update_core' function begins to work. It reinfects the just-updated and new wp-settings.php file.

"So if you thought that WordPress upgrade could only make you blog more clean – you were wrong. If your blog was infected before the upgrade and hasn’t been completely cleaned up, the upgrade itself may even reinfect files that were clean before the upgrade" Denis Sinegubko, the founder of the helpful Unmask Parasites website said.

"Manual upgrades and upgrades via SVN are still completely safe. By the way, not only are SVN updates safe but they are also nearly as simple as automatic updates (one simple command) and provide built-in integrity control, so you can easily identify all changed and potentially infected code WordPress files and have them reverted to their original state." he concludes.

TimThumb vulnerability in Wordpress leads to malware infection

Last month, Thousands of Wordpress  sites infected by malware , discovered by Armorize. Avast Researchers investigate this hack and conclude that Blackhole exploit kit made by Russian Developers and available for $1500 in black market.

The Vulnerability in non-updated TimThumb allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes.

In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

These scripts redirects to a new site where the Black Hole exploit kit is located. The victim is then served a JAR file, that will deploy other malicious downloads to the infected system.


50000 WordPress Sites infected with spam

The attack consists of contacting the domain to get a list of links to be displayed on the compromised sites. However, that domain has been down for the last few days and all the sites compromised. These sites supposed to be compromised. Most of the hacked sites had outdated versions of WordPress installed.

Infected sites have following message at Footer :
Warning: file_get_contents( 47509328/p.php?host=… failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in ..

WordPress Photoracer Plugin Vulnerable to XSS and SQL Injection

A Hacker known as "Pr0T3cT10n" found the multiple vulnerability in WordPress Photoracer Plugin. plugin is vulnerable to XSS(cross site Scripting) and SQLi(SQL Injection), Tested on Wordpress 3.2 Hebrew, Photoracer 1.0.


Update: looks like the plugin is removed from wordpress