Posted 4 months ago #
A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit.
Source: labs.m86security.com/2012/01/massive-compromise-of-wordpress-based-sites..
Any info on how the HTML got uploaded in these 3.2.1 sites?
See also: Hackers infect WordPress 3.2.1 blogs to distribute TDSS rootkit
Not sure, but here's how to clean up the site and make sure you upgrade to the latest version.
Posted 4 months ago #
Thanks, my own sites are not affected.
But as there are many 3.2.1 installs out there which can not "just upgrade" due to (still) incompatible plugins or other reasons, any info on this new(?) exploit would be very helpful.
Posted 4 months ago #
Some more info:
This was what happened a few days ago, when a lot of WordPress-based websites running the obsolete 3.2.1 version and two exploitable plug-ins (Spam Free and UPM Polls), were hacked using SQL injection and malicious files with random names (osgik.htm, agoku.htm, kaxyv.htm and so on), uploaded in wp-content/uploads WordPress folder
Source: cleanbytes.net/compromised-wordpress-based-websites-leading..
This past weekend one compromised Web site in particular caught my attention. Based on my analysis, the site was compromised because it was running an old version of WordPress (3.2.1) that is vulnerable to publicly available exploits [1] [2].
Source: http://community.websense.com/blogs/securitylabs/archive/2012/01/30/..
So the plugins Spam Free and UPM-Polls seem to be the problem here, not 3.2.1 alone:
WP-SpamFree WordPress Spam Plugin SQL Injection Vulnerability
WordPress UPM-POLLS Plugin 1.0.4 Blind SQL Injection
Posted 4 months ago #
So is the solution, just remove those plugins until they're updated?
Otherwise you could come up with an .htaccess RewriteRule to prevent any html files being uploaded to the uploads directory in the meanwhile.
You must log in to post.
