Old Versions of WordPress Compromised

A new attack against old versions of WordPress is a reminder of the importance of always performing updates when prompted. We saw how using old versions of IE, IE6 in particular, led to all kinds of exploits and attacks, so you would think the lesson would have been learned at some point, but here we are, being reminded again that upgrades are there for a reason. (Apparently, the latest update for WordPress was in December.)

 

M86 Security was the one to announce the attack on WordPress, which many companies, especially SMBs, use to host websites and blogs. The attack apparently comes via spam email. According to the M86 Security Labs blog:

 

Hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit. Its logs show that users from at least four hundred compromised sites were redirected to Phoenix exploit pages.

 

M86 Security went on to report that the apparent motivation of the attackers was to bypass spam filters, URL reputation mechanisms, and even security policies.

 

From the M86 blog:

 

The exploit page is hosted by a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”, showing a certain sense of humor by these attackers.

 

The attack was launched in two parts – first to compromise the Web servers and secondly to send the spam. In both cases, they might have done that from domains other than that specific Russian domain.

 

Once the rootkit is launched, it attempts to exploit Microsoft IE, Adobe PDF and Flash and Oracle Java. If the exploit attempts are successful, a variant of the information-stealing Cridex Trojan ends up on the user’s system.

 

Attacks on WordPress aren’t new. In November, an SC Magazine article pointed out a spike in malware on WordPress pages that used the TimThumb image resizer. The article went on to say:

 

Researchers detected an additional 3,500 unique infected WordPress sites, which redirected visitors to malicious sites between Aug. 28 to 31. During September, the company blocked redirects from 2,515 WordPress sites.

 

M86 Security’s advice is the reminder to not click on any link in any email. My advice is to remember to always take care of any update prompts as soon as they are suggested. After all, those upgrades and updates usually fix vulnerabilities that could help avoid problems like this.

Article source: http://www.itbusinessedge.com/cm/blogs/poremba/old-versions-of-wordpress-compromised/?cs=49691