1,000+ WordPress sites compromised through automatic update feature
Posted on 04 May 2012.
More than 1,000 WordPress blogs have been modified to redirect visitors to sites serving malware, affiliate and pay-per-click redirectors, and low quality PPC search result aggregators, through the WordPress' automatic update feature.


The discovery was made by Denis Sinegubko, the founder of the helpful Unmask Parasites website, who points out the irony of webmasters trying to keep their sites safe by using automatic updating, and then having them compromised through the same means.

The individuals behind the attack have discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects.

The update.php file contains the "wp_update_core" function, which is used by the WordPress Automatic Update feature, says Sinegubko.

"Behind the scenes, the 'wp_update_core' function checks for available updates, downloads new files, replaces old files and does all the rest stuff required to successfully complete WordPress upgrades," he explains.

"Your blog is supposed to be fully updated just before this function returns. At that moment all infected core WordPress files (such as wp-settings.php) should be replaced with new clean copies. And this is exactly the moment when the malicious code in the “wp_update_core” function begins to work. It reinfects the just-updated and new wp-settings.php file.

Consequently, only users who have the automatic update feature enabled can have their blogs compromised by this means. Those who update their WP installation manually or via Subversion (SBV) are safe.

"WordPress developers should consider adding some integrity control into their system (e.g. checksum control for core WP files) and warn webmasters (blog administrators) if core files change," Sinegubko concludes.






Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //