The WordPress blogging platform powers millions of websites over the Internet. Due to its level of usage, this PHP/MySQL platform is a probable target for various types of attacks. Recently, we have accidentally discovered in our blog posts a new dangerous viral activity based on an advertising script that exploits the security leaks of WordPress platform. This type of attack could be also present in the tens of other millions of online WordPress blogs.

During the last years, many attacks were reported by WordPress websites administrators. The critical level of security exploits is represented by the process of code injection into the MySQL database, that could lead to a permanent loss of data. For example, a JavaScript code inserted into certain files that forms the template structure (index.php, index.html, main.php, header.php, footer.php) automatically send information to other websites. In this case, the traffic information were stolen and in the same time, various installed plugins also contained the same script in their code. As a consequence, the virus was identified in a high number of files of a single WordPress installation and was called an attempt of “Internet marketing espionage”.

Another dangerous type of WordPress attack could be determined by Magic Include Shell program. In this case, the attacker has the possibility to upload and execute arbitrary code by gaining a total console like access. The simptoms of this attack are: inactive plugins, the impossibility to post articles followed by a bank screen, changes of the upload directory path and the presence of a text file called “ro8kfbswmag.txt” into the upload directory.

The most inconvenient and widely used WordPress attacks are based on advertising scripts that exploits various security flaws in the platform configuration, as well as the web server security. These scripts insert code or spam links in posts, templates or plugins. The inserted content and code is hidden from readers with the help of CSS (Cascading Style Sheets). The main consequences of this advertising scripts actions are the insertion of a high number of spam links (from tens to thousands) in WordPress posts and pages. The big problem is represented by the fact that search engine spiders “reads” the links masked with CSS only for the website visitors.

For example, if you have published Google Adsense ads, the hidden spam links which are one way links for hackers websites will bring you penalties in search engine rankings and could also lead to exclusion from Google index.

The DownloadTube team have been recently discovered in an accidentally manner the presence of such an advertising script attack in the current WordPress installation. During the DownloadTube blog RSS feeds publishing process through FeedBurner service, we have noticed in the feed reader the appearance of a high number of spam links leading to pharmaceutical products. After the checking of the XML file were those links were obviously present, we have looked into the source code of the posts in order to verify the existence of a certain advertising script. Into the posts code were present only the spam links masked with CSS, as in the next example:

The solution to remove this virus was rapidly identified: in the root of the WordPress installation a .php file was automatically uploaded as a result of an attack that exploited a security flaw. The execution of the code contained in the .php file on the server side determined the insertion of spam links into randomly selected WordPress posts. The script was succeeded to conect to the MySQL database by repeated attempts to include various database connection configuration files: include (”config.php”); include (”connection.php”); include (”db.php”) and more.

Only five posts were modified by the automatic inclusion of spam links, which leads us to the conclusion that the virus was still in the primary phase of action. By removing all traces of the advertising script and repairing the affected posts by manually deleting the spam links, the attack problem was successfully solved. In the same time, the latest version of WordPress was installed (this action is recommended for all WordPress users because the latest version of the platform usually comes with security flaws patches).

If you will notice that your blog traffic decreases or the traffic to your blog comes from search engines based on certain keywords related to spam links like Viagra, Levitra or credit cards, you might have been attacked by an advertising script. This technique of illegal promotion known as blackhat SEO could have unpleasant consequences over your blog traffic, leading also to exclusion from search engines index.

Fortunately, various tools to prevent and detect WordPress attacks exist. WP Security Scan is a WordPress plugin that scans a given WordPress installation and suggests optimal actions to correct the existing security vulnerabilities. Other plugin, WordPress Exploit Scanner checks the files and database of the website for suspicious activity. It cannot stop an attack but could warn and help you to find the attacks sources inside the MySQL database or WordPress files.

The best way to reduce the number of successful attacks is to perform periodic checking of server configuration security issues, follow the recommended rules in securing an existing WordPress installation and daily monitoring random posts and files code in order to prevent critical situations.

Related Articles

• WordPress 2.8.2 Was Just Launched (0)
• WordPress 2.8 Is Faster (0)
• The Easiest Way To Add A Forum To WordPress (0)
• Spam Email Messages Have A High Carbon Footprint (0)
• Quick Recipe For Custom Pages In WordPress (0)
• How To Promote A Website Through Search Engines And Web Directories (0)

This entry was posted on Friday, September 12th, 2008 at 4:55 am and is filed under Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.