A glut of WordPress sites have fallen victim to both malware infections and a series of brute force attacks that have been making the rounds over the past several days, researchers claim.
According to Peter Gramantik, a malware researcher at Sucuri, highly obfuscated malware payloads have been targeting sites with out of date plugins and sloppy, weak passwords.
While the fact that malware is targeting outdated plugins and weak passwords isnâ€™t particularly surprising, Gramantik claims what makes the attack interesting is the fact that the payload is being blindly injected. Bug-riddled PHP is apparently corrupting legitimate WordPressÂ files, along withÂ theme and plugin files that belong to the popular content management system.
The errors are prompting a series of PHP warnings, like the one below, whichÂ pop up in normal site content according to the firm.
Parse error:Â syntaxÂ error, unexpected â€˜)â€™Â in /home/user/public_html/site/wp-config.php on line 91
Sucuri claimsÂ the only way it knows how to fix the infected files is to restore the files from backup after the malware has been removed.
This week has also seenÂ a series of brute force attacks wreaking havoc on WordPressÂ sites, according to researchers at the SANS Institute.
The attacks appear to targetÂ XMLRPC.php, the same PHP library that was leveraged to cause a large-scale distributed denial of service attack on tens of thousands of WordPressÂ sites earlier this year.
SANS incident handler Daniel Wesemann warned Tuesday that some Internet Storm Center readers have been experiencing a scourge of attacksÂ on their sites.
The attacks specifically use the wp.getUsersBlogs function of XMLRPC to send out brute force password guessing attacks. Code posted by Wesemann on the InfoSec Handlers Diary BlogÂ clearly shows requests trying to guess passwords (admin, admin123) on a targeted WordPressÂ installation.
(Image viaÂ Robert Paprocki, cryptobells.com)
Weseman goes on to point out that looking at the simple HTTP web server logs isnâ€™t the best indicator of these attacks as the requests are approved by the web server and the XML message that the server returns as a payload includes an anticipated â€˜403 â€“ Not Authorizedâ€™ message.
The post warns that using â€œtraditionalâ€ modes of security protection, like the plugin BruteProtect, are actually less effective.
â€œMost of these add-ons tend to watch only wp_login.php and the associated wp_login_failed result, which does not trigger in the case of an XMLRPCÂ login error.â€
WordPressÂ experts are encouragingÂ users looking toÂ avoid getting hit with brute force attacks like theseÂ to use a strong password,Â not to use a common username and follow theÂ Hardening WordPressÂ FAQ on WordPress.org.
Jan Reilink, a Netherlands-based system administrator, claimed he noticed a rash ofÂ HTTP POST requests usingÂ XMLRPC.PHPÂ on WordPressÂ earlier this month but itâ€™s unclear if the requests he noticed, which came in the form of a much larger payload, are related to the XMLRPC.PHP DDoS attack Sucuri noticed in March.
The brute force attack campaign sounds similar to attacks initiated by theÂ massive 90,000-strong WordPressÂ botnet that reared its head last spring. Those attacksÂ used a combination of â€œadminâ€ as a user name, and a list of common passwords to break its way into systems.