Thousands of WordPress Sites Hijacked to Distribute Malware in the Last Two Days

[Exterminator]

Content source

http://news.softpedia.com/news/thousands-of-wordpress-hijacked-to-distribute-malware-in-the-last-two-days-492117.shtml

Unsuspecting users redirected to websites serving malware
WordPress site administrators should immediately check their sites for a new coordinated malware campaign which infected thousands of sites in the last two days.

According to Sucuri, a company which provides website security solutions, hackers have found a way to hijack websites and add malicious code to the site's JavaScript files.

When a user accesses the infected website, the JavaScript code is loaded into his browser, calling to a secondary backdoor hidden in the site's code, and finally forcing the user's browser to load an iframe.

This iframe calls to a remote Web page where the Nuclear Exploit Kit is hosted, scanning the user's browser, and identifying various entry points for the attacker's malware.

The campaign, which was named VisitorTracker after one of the JavaScript functions added to the .js files, usually calls to the vovagandon.tk domain, where the Nuclear Exploit Kit is hosted.

95% of all infected sites are using WordPress
Sucuri claims that 95% of the infected websites are running WordPress, and they suspect the initial infection took place by hackers exploiting vulnerable WP plugins.

The campaign has been first observed two weeks ago and has increased in intensity over the past few days.

According to Sucuri, out of all the compromised websites, 17% have already been blacklisted by Google and other popular blacklisting services.

Investigation steps & protection measures
To protect themselves and avoid being added to a Web blacklist, webmasters have a few tools at their disposal.

For starters, they can check their site's files for the malicious code by running the following command from their Linux terminal (if they use a Linux machine to host the site):

grep -r “visitorTracker_isMob” /var/www/

If they lack the technical skills to access their server's console, Sucuri is also providing a Web-based malware scanner capable of detecting sites affected by the VisitorTracker campaign.

If your site is infected, you should remove the malicious code from the JS files, and update all plugins (and the WP core) immediately.

 

[Chromatinfish 123]

If you're using WordPress don't download too much plugins definitely. No, you don't need the cool plugin that inserts a mini-pacman game into your site.

If you are really concerned about safety there are plenty of other website/blog making tools out there.

Most of these exploits our of plugins so if you run a totally blank sheet wordpress site you will be okay.

Another tip:

When you see a very cool plugin that only has few reviews, search for another similar plugin but with a lot more high quality reviews (not like "Good Product").

 

[Jack]

It will be really interesting to see which plugin has caused this massive infection...it should be a fairly popular one. What can I say, not the first time Wordpress plugins have been exploited by cyber criminals.... Like @Chromatinfish 123 said, site admins should really limit the number of plugins and install only those who are maintained.

 

[hjlbx]

It will be really interesting to see which plugin has caused this massive infection...it should be a fairly popular one. What can I say, not the first time Wordpress plugins have been exploited by cyber criminals.... Like @Chromatinfish 123 said, site admins should really limit the number of plugins and install only those who are maintained.

I've been waiting for massive data loss via malicious plug-in(s). Actually, I'm surprised it has not happened more often nor on a much wider scale.

 

[Solarquest]

I just checked vovagandon.tk on VT, only Kis and Sucuri detect it, clean mx suspect.....no more detections...

 

[Chromatinfish 123]

Let's just say that in a day your chances of a WP regular Plugin getting hacked and hijacked is .001%. Yeah, not too big of a deal.
What if you have 1,000 plugins. Yikes now it's 1%... whoops.

If you have a million plugins, you have "1000%" chance of being hacked/hijacked so uhh... that's overkill mate (note the quotations- you have a pretty big chance of getting 10 plugins hacked/hijacked per day).

Now, let's thin it down to a regular scale. Maybe you're the one that says "Bah. .001% is too high!"

Perhaps we better try .0001% (obviously the average, some plugins are much safer then others).

10 Plugins = .001%
100 Plugins = .01%
1,000 Plugins = .1%
10,000 Plugins = 1%
100,000 Plugins = 10%
1,000,000 Plugins = 100%

Mwa ha ha! The bad luck is still with you if you are the guy who runs 1,000,000 (one million) plugins each day! Not considering the fact that a page will take more than 10 Hours To Load and that you will run your server's usual data usage by over 10,000... This is ridiculous. I don't know what I am even talking about.

Let's try on a less absurd scale (with the .001% chance)

1 Plugin = .001%
2 Plugins = .002%
3 Plugins= .003%
4 Plugins = .004%
5 Plugins = .005%
15 Plugins= .015%
50 Plugins = .5%
100 Plugins = .1%

See. Even 100 Plugins is a very big security issue. Mind you that this doesn't count the fact that some plugin vulnerabilities may target another, more common plugin too.

On another hand, If you run only 5 Plugins on your site, that's not a big chance. .005% means that you have 1 out of 500,000 Chance of getting hijacked.

TL;DR: Don't run 1,000,000 Plugins and stick with the bare essentials.