WordPress Injection Attack
09 Mar 2010 04:51 AM
Nowadays it is not surprising when people's blogs are attacked, especially when the blog owner is a well-known person. No matter how frustrated or disappointed the bloggers are, attacks still continue. If you search "my blog was hacked" on Google, you get 4,230,000 results; searching "my blog was hacked again" returns 2,380,000 matches, and the number keeps increasing daily. What we can see from the these rough stats? Apparently nearly 44% of attacked blogs are lucky and aren't attacked again, but over 56% of attacked blogs repeat the previous nightmare.
So why does this happen? There are several reasons, but the one we should absolutely never ignore is the vulnerabilities of blog platforms themselves. According to the following Open Source CMS Market Share Report 2009, WordPress, which has the most downloads among all competitors, is dominating today's market along with Joomla! and Drupal. Therefore, we have used WordPress for our research.
Websense® Security Labs™ ThreatSeeker™ Network has been monitoring the latest WordPress injection attack for over 2 weeks and has found over 250,000 injections occurring in the past half month. Moreover, over 37,000 URLs in the wild are still being injected according to our observations. As the following chart shows, the daily stats go up and down a few times and always end up higher, so we believe the hackers are still continuing their attack.
WordPress is so widely used all over the world that every version of it is studied and exploited by hackers, even the latest version (2.9.2, released on December 18, 2009). The following chart reveals the percentage split of different WordPress releases affected in this attack.
The following obfuscated malicious code snapshot shows what the injection looks like. The ultimate purpose of the attack is all about making money, as Sophos has already investigated.
These attacks probably happened due to SQL injection via some known and unknown WordPress vulnerabilities. SecuriTeam maintains a list of 23 known WordPress vulnerabilities, and if you search on milw0rm.com, you get almost 60 results. This means that 60 different vulnerabilities have been discovered to exist in different versions of WordPress.
Injection is not the only way for hackers to utilize those vulnerabilities; compromising a site is also a good option. It has often been reported that compromised Web sites are used for Blackhat SEO to push rogue AVs. Novirusthanks has a great analysis here, and more investigation indicates that the compromise behind the attack is connected to WordPress vulnerabilities.
WordPress users should be very familiar with the injection or compromise attack since it has been used frequently in the past. Although WordPress has 2-3 releases every year and has 3 releases planned this year as usual, it has proved to be not enough: we still can see many victimized sites with the latest 2.9.2 installation. However, without the help from WordPress developers, there are still some measures we can take to harden our blogs. In addition, some WordPress plugins are also very helpful. Typically, bloggers choose WP Security Scan for vulnerability checks and WordPress Exploit Scanner for injection checks. Moreover, when attacks really happen, don't panic: a great guide is already there to help you clear up the mess.
Websense Messaging and Websense Web Security customers are protected against this attack.
Security Researcher: Elson Lai, Tim Xia