1,000+ WordPress sites compromised through automatic update feature
Posted on 04 May 2012.
More than 1,000 WordPress blogs have been modified to redirect visitors to sites serving malware, affiliate and pay-per-click redirectors, and low quality PPC search result aggregators, through the WordPress' automatic update feature.


The discovery was made by Denis Sinegubko, the founder of the helpful Unmask Parasites website, who points out the irony of webmasters trying to keep their sites safe by using automatic updating, and then having them compromised through the same means.

The individuals behind the attack have discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects.

The update.php file contains the "wp_update_core" function, which is used by the WordPress Automatic Update feature, says Sinegubko.

"Behind the scenes, the 'wp_update_core' function checks for available updates, downloads new files, replaces old files and does all the rest stuff required to successfully complete WordPress upgrades," he explains.

"Your blog is supposed to be fully updated just before this function returns. At that moment all infected core WordPress files (such as wp-settings.php) should be replaced with new clean copies. And this is exactly the moment when the malicious code in the “wp_update_core” function begins to work. It reinfects the just-updated and new wp-settings.php file.

Consequently, only users who have the automatic update feature enabled can have their blogs compromised by this means. Those who update their WP installation manually or via Subversion (SBV) are safe.

"WordPress developers should consider adding some integrity control into their system (e.g. checksum control for core WP files) and warn webmasters (blog administrators) if core files change," Sinegubko concludes.






Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals it’s our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //