(WEB HOST INDUSTRY REVIEW) — Over the past few days, many of those using popular open-source blogging platform WordPress (www.wordpress.org) were surprised to find that their site or blog had been hacked and was redirecting visitors to a page attempting to install malicious software. New research suggests that the hacker was able to exploit users’ improper storage of configuration files.
Surveying multiple postings on WordPress forums and blogs, security expert Brian Krebs reported an attack that does not modify or create files, but rather injects the web address “networkads.net/grep” directly into the target site’s database, redirecting visitors to networkads.net. Also, due to this attack method, site owners were locked out of the WordPress interface for their blogs.
If the forum posts were any indication, nearly every WordPress user affected reported web host Network Solutions (www.networksolutions.com) as their current hosting provider, although the company claims not only Network Solutions customers were affected.
Sucuri Security Labs, which has been working with Network Solutions to solve the problem, has come up with an analysis of the problem. First off, WordPress stores database credentials in plain-text in the configuration file, which should only be read by Apache, but some users unknowingly left it in a way that anyone could read it.
Sucuri Security Labs hypothesizes that a malicious Network Solutions user created a script to find those incorrectly configured files, finding hundreds and retrieving the database credentials, which are used to launch an attack that modifies the database for all these blogs, changing their site urls to “networkads.net/grep.”
Shashi Bellamkonda, Network Solutions’ head of social media, noted in a Sunday blog entry that the WordPress issue has been fixed, the root cause had been addressed and most sites have been fixed.
“In solving the problem, we have had to change database passwords for WordPress. Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes.”
Sucuri says blame for the incident might be difficult to assign.
“Wordpress for requiring that the database credentials be stored in clear-text,” writes the poster. “Wordpress again for not installing itself securely by default. The users for not securing their blogs. Network Solutions for allowing this to happen.
“I also have to agree with Network Solutions that this problem can happen at any shared host site. Not only for WordPress, but for any CMS out there that stores the passwords in clear-text. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.”
