A few days ago, Websense® SecurityLabs™ detected a large-scale malware campaign mainly targeting WordPress pages. We have received many questions about who and which websites are in danger and how to protect against this attack. While many forum posts and comments speculate that outdated WordPress versions are at fault, unfortunately, we found that this is not true. We dug a bit into this subject and analyzed 30,000 domains to see what types and versions of CMS (Content Management System) have been compromised so far.

We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment. As you can see in the pie chart below, PHP dominates the server side:

Digging a little deepter, we were also able to examine which CMS were victims of the attack. Initially, when we discovered the attack, we found only WordPress sites, and after a week or so, the picture did not change that much. WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites are also affected, with all other content managers making up a tinier slice.

The big question still remains: Is my Website protected if I use the latest WordPress version? Checking all WordPress sites, we conclude that most of the compromised sites were in fact using the most recent version, which indicates that having the latest version of WordPress does not make you immune to this threat. 

So how can you protect yourself? Here are some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:

• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)

Websense Security Labs strongly recommends that website owners perform security audits and fix all problems to keep attackers away from their sites. Websense customers are protected from injected websites with our Advanced Classification Engine, or ACE, which detects compromised websites in real time. 

Websense® Security Labs™ ThreatSeeker™ Network has discovered that over 100 Web sites on the Media Temple Web host servers have been compromised, and will lead visitors to the Phoenix Exploit Kit. It's not the first time they have had a WordPress injection, but a quick investigation suggests that only 46% of these sites have WordPress installed, and Sucuri Scanner reveals that they do have multiple vulnerabilities. So what happened to the other sites? They don't have WordPress installed but have still been compromised; why? According to the statement from Media Temple, neither Media Temple’s architecture nor the up-to-date versions of WordPress is the source of these compromises. Some insecure 3rd-party software applications installed on customer servers are the root cause, which has been verified by Sucuri.

All the injections are designed to only work on JavaScript files as shown below, and are obfuscated to evade detection.

After deobfuscation, we got a simple algorithm to generate malicious URLs. We generated 64 URLs which are all already covered by Websense. Now we go to check those generated URLs, and find there are 2 different scripts. One is very simple with an anti-bot trick so it won't be crawled by search engines. Unfortunately the payload site it redirects to is now down.

The other is highly obfuscated, and finally redirects to an exploit kit called Phoenix.

The Phoenix Exploit Kit is a sophisticated hacker tool set that exploits several of the latest vulnerabilities on popular vectors to execute arbitrary code.

Websense TRITON Advanced Classification Engine(ACE) is protecting customers against this attack. We will keep track of it and provide updates when it changes. 

If you are running an older version of Wordpress, meaning less than 2.8.4, you ABSOLUTELY want to read this.

A worm that can post malware and spam to vulnerable Wordpress installations has recently been discovered in the wild and unless you're running the very latest version of Wordpress, you are at risk. Seriously at risk.

The vulnerability allowing the attack was discovered August 11 and was immediately fixed by the Wordpress team in the 2.8.4 security release. If you are using version 2.8.4 or better of Wordpress, or host your blog on Wordpress.com, you are safe.

The newly discovered worm is pretty sneaky to say the least. In a nutshell, it crawls the web looking for vulnerable Wordpress installations, makes itself an administrator account, takes full control of the website and posts malware and spam to it. It's also been reported that it will sometimes disable Defensio and other anti-spam plugins. It can be very hard to detect the new malicious administrator user since it hides itself from the users list using Javascript.

Bah... This stuff never happens to me!

If rock star blogger Robert Scoble can be hacked, you probably can as well. This vulnerability is serious, so please treat it as such.

Have I already been hacked?

As Lorelle VanFossen wrote on her blog:

 

There are two clues that your WordPress site has been attacked.

 

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER %5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

 

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

How do I prevent my site from being targeted?

It's easy. Upgrade. If you are using a somewhat recent version of Wordpress (2.7+), upgrading is easy since the functionality is now built-in. But if you are not, you should take a look at the excellent InstantUpgrade plugin which makes upgrading Wordpress a single-click operation.

If you have already been hacked, you will need to delete the malicious admin user as well. Changing all your passwords is also strongly recommended.

You might also want to check out How to Keep Wordpress Secure and the My Site Was Hacked FAQ.

How can I keep my Wordpress blog safe in the future?

Wordpress is generally a safe platform. However, we recommend that you always use the latest and greatest version to make sure that all known security exploits are patched. You should also make sure that your passwords are not easily guessable, either by a human or a machine. A password of at least 8 characters which includes at least 1 uppercase, 1 lowercase and 1 digit is generally considered "strong". Following @defensio, @websenselabs and @wordpress on Twitter is also a good way to stay up to date.

Good news!

By popular request, we just started hosting our WordPress plugin code on GitHub!  You can now stay up-to-date with our development effort and even help us by implementing the features you want.

GitHub (and Git) make collaborating on software easy.  Everybody can now fork our plugin to implement new features or fix a bug.  We'll be happy to integrate any changes we feel will benefit other users.

If you're not that much of a coder, you can still help!  We definitely need people to test the freshly baked code you'll find at GitHub.

Our GitHub page is at http://github.com/defensio.  Oh... and if you don't know what Git is yet, you should definitely check out PeepCode's great video on the subject ($9, but worth every penny).

We have also created a ticket tracker at Lighthouse.  You can now submit your bugs or feature requests here: http://karabunga.lighthouseapp.com

Happy collaboration!

After some delays, our friends at Automattic have finally released version 2.5 of their flagship product, Wordpress.  We've been watching their progress closely and making a few tweaks along the way. Today, I'm happy to announce that the latest version of the Defensio plugin works just fine with WP 2.5!

So upgrade without fear, we'll still be there.  Happy blogging!

As some of you might know, our friends at Automattic are planning to release version 2.5 of WordPress today.   We've been getting a lot of emails about compatibility with the Defensio plugin.

At this moment, our plugin is not yet 100% compatible with WP 2.5.  We have already started making the needed adjustments and we expect to release an update in the next few days.   It might be wise to wait a couple of days before upgrading to 2.5.

We'll keep you posted here.

Big day for Defensio! Why? Because we're rolling out a boatload of new functionality:

OpenID

First off, we're pretty jazzed to announce that Defensio now supports OpenID! This is big news for you blog owners out there because you should see your accuracy improve even further; and it's big news for all you developers because you now have one more reason to add OpenID support to your app.

For those of you unfamiliar, OpenID is essentially an open standard that allows you to log into participating web applications using a single URL to represent your identity. Practically speaking, this means you only need to remember one web address to represent yourself anywhere on the web, rather than a bunch of different login/password combinations. That's a good thing!

If you're a WordPress blogger, getting started couldn't be easier. You'll simply need to install the WP-OpenID plugin and grab the latest version of Defensio. After that, whenever a commenter drops a comment on your blog using his/her OpenID URL, this information will be sent to our servers and automagically treated (cleverly!) in our filtering algorithms.

On the developer side, we've incremented our API to version 1.2 to reflect the fact that the 'audit-comment' method now accepts the new 'openid' parameter. Pretty simple, n'est-ce pas?

And while OpenID logins are not quite ready for logging into your own Defensio account management panel, that functionality's in the works, so look for it soon!

UI Enhancements

If OpenID wasn't reason enough to upgrade your Defensio plug-in, we've also just added several new sorting & filtering features that should make your spam management that much easier:

- Sort by Post Date: You can now sort your spam box by post date, meaning you'll see the spam flowing into your blog organized according to posts, in reverse chronological order. We think this will be a handy way to keep track of comments & spam associated with recently your posted articles. And of course, since it's Defensio, everything will be secondarily sorted by spaminess, making it uber simple to pull out the false positives.

- Spam Bucketing: We've extended the idea of sorting by spaminess to aggregate spam comments into high level categories, or "buckets" (e.g. "Very spammy", "Quite spammy", etc.) which should be more meaningful than plain old percentages. While subtle, we feel this usability enhancement will helps to tidy up the interface and make it easier for you to get your head around the storm of spam hitting your blog ever day.

- Trackbacks: One of the most requested features we've had is the ability to separate out trackbacks from comments. We've added this functionality via links at the top of the spam box that enables you to see "All" (i.e. everything, the current default) or strictly "Comments" or strictly "Trackbacks". This added flexibility should make your daily (weekly?) spam management task just a smidgen more efficient.

Whew. Lots of stuff! Please do install the latest version of the plug-in (we're calling it 1.5) and let us know what you think!

Many plugin and library updates have just been posted to our website. He's a brief summary...

Blogging platforms

• Wordpress plugin: updated to version 1.2. It fixes all the known issues.
• Pixelpost plugin: updated to version 1.1. Adds the Defensio counter and a few more eye candy (like in Wordpress).  Thanks Dennis!

Developer libraries

• PHP 5 library: Greg Neustaetter was kind enough to develop a library for PHP 5 (we already had PHP 4). Thanks!
• Perl library: Brad Choate has built the awesome Net::Defensio library in record time. Thanks!
• Python library: Camilo Lopez wrote a simple but effective library for Python (with unit tests). Congrats!

(is this a coincidence? All these programming languages start with a P!)

Thanks to everybody who contributed their time. We appreciate it very much!

Hola!

We're glad to announce that we've just updated our Wordpress plugin. It now stands at version 1.1.2. Many of the features you requested have been added... but keep 'em coming!

You can download the lastest version of the plugin at Wordpress Extend or from the Defensio website.

Here's some of the new stuff:

Unprocessed comment notification

In the event that your Wordpress instance cannot connect to Defensio, comments are stored in the moderation queue. We've just added the possibility to resubmit those comments to Defensio with the click of a button. Easy and convenient.

Defensio Counter

Spread the Defensio love and tell the world how many spam you didn't see by adding the Defensio Counter to your blog. It's available as a "Wordpress Widget" for simplicity, or as a "PHP statement" for themes not supporting widgets. Our plugin ships with 2 default colors: dark grey and light grey (hey! we like grey!), but we've made it super easy for you to create your own fancy custom counter.

Quarantine status in Dashboard

Defensio now has its very own section in the Dashboard's activity box. The number of new spam is just a glance away.

Architecture changes (important!)

Our plugin is now hosted on Wordpress Extend. Its official name has been changed to defensio-anti-spam, which means that it should now reside in /wp-content/plugins/defensio-anti-spam instead of /wp-content/plugins/defensio. When updating, do not forget to delete the old directory: not doing so will lead to version conflicts.

If you have a recent version of Wordpress, you should be notified about plugin updates in the Plugins tab of your control panel. That makes it super easy to always stay up-to-date.

Need Help?

If you need help with Defensio, make sure to visit our community forum or simply drop us an email.

Cheers!

We are very charged up today to announce the much-anticipated (by us, at least!) public-beta launch of Defensio's new spam filtering web service for blogs (and other social web applications subject to spam).

If you're a blogger, you are likely already intimately familiar with the "spam problem". Spammers have been waging war on the blogosphere for months now, bombarding the comments section of blogs with literally millions of spam messages per day. This creates a lot of work for blog owners, who have to wade through hundreds if not thousands of messages every week, just to make sure their comment garden remains weed-free. It's become such a problem that many simply don't bother anymore, preferring to let the odd legitimate comment disappear; and an increasing number of bloggers are even opting to shut down comments altogether -- an unfortunate, and unnecessary, concession to the cold-hearted spammers' cause.

We felt that the time was ripe for a better spam management solution; so we built Defensio.

But with other web-based anti-spam services out there, what makes Defensio so special? Well, let us count the ways:

Ridiculously easy spam management:

Defensio sorts your quarantined comments by their "spaminess" value. This means that finding the occasional legitimate comment buried in your spambox (aka false positive) becomes dead easy, by bubbling up to the top of the list. We think this feature alone will make you never want to go back to old chronological spam sorting ever again.

RSS feeds of your comments and spam:

Defensio provides RSS feeds of all comments and spam messages posted to your blog, in digest form, to make it a cinch to follow the conversation. And what's best is that since it's Defensio, new spam messages will always be spaminess-sorted, making it ultra easy to pick out the good stuff.

Detailed statistics for complete transparency:

We believe in letting you in on how Defensio is performing on your own blog; it's your traffic after all! You'll get up-to-date accuracy and traffic statistics directly in the plug-in, as well as gorgeous charts to help you monitor the evolution of spam and performance over time.

Stellar accuracy:

Defensio is coldly efficient in stopping spam. What's best is that our filter's performance is personalized to your own blog, and continues to improve over time. And since we're up-front about performance statistics you can see for yourself just how we're doing, which, after an initial learning phase should hover well above 99% accuracy. Not bad, we think!

Not just for blogs:

Defensio's spam fighting abilities don't end with the blogosphere. We've built an easy-to-use public API that is perfectly suited to handling comment traffic from any social web application that might be subject to spam. Already, generous community developers have contributed plug-ins for PixelPost, Ruby on Rails and .NET. So, if you're a developer, check out our API and get a-buildin'.

Want to achieve stress-free spam-free nirvana on your blog? It's super easy to get started! Simply sign-up for an account and then download and install a plug-in. We are currently supporting WordPress 2.1+, PixelPost 1.7+ and Umbraco, with more platforms coming online soon. And the best part is that Defensio is 100% free for personal use; it's hard not to like that!

Please browse around our shiny new web site, and let us know if you have any questions -- we've set up a community forum to hear what you have to say, and we'll be monitoring it closely. Finally, we encourage you to sign up for this blog's RSS feed so that you can stay up to date with all the latest news and developments, Defensio-style.

See you on the other side of spam.