Feeds

Network Solutions mops up after mass WordPress breach

Plenty of blame to go around

Protecting against web application threats using SSL

Administrators at web host Network Solutions say they've closed a hole that allowed attackers to commandeer a large number of sites so they tried to infect visitors with malware.

The mass hack caused Network Solutions customers running WordPress to silently redirect visitors to networkads.net/grep, a site that attempted to perform malicious drive-by downloads. Network Solutions has now closed the hole by resetting database passwords for the blogging software, the company said Sunday. Users should also review their settings for any administrative access accounts that aren't recognized and if found delete them.

The compromise was the result of database credentials that WordPress stores in plain-text, according to David Dede, a researcher with Securi Security. While the database is supposed to be accessed only with the Apache webserver, "lots of users" configured the file so it was readable by any Network Solutions customer.

A malicious user then employed a script that automatically scoured the Network Solutions system for poorly secured accounts and, when found, modified the databases so the corresponding websites redirected users to the malicious website.

"So, at the end anyone can be blamed," Dede wrote. "At WordPress for requiring that the database credentials be stored in clear-text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen."

To clean up the mess, Network Solutions had to change the database passwords for WordPress, which will likely cause problems for customers who use scripts that automatically access the file. The Network Solutions blog post doesn't say whether changes have been made to customers' wp-config.php file, so users should check to make sure it's set to private by running the command "chmod 750 wp-config.php." ®

Update

A representative for some WordPress developers wrote in to take issue with Dede's claim that at least some blame rested with developers of the blogging software.

"WordPress, like all other web applications, must store database connection info in cleartext," wrote Paul Kim VP User Growth at Automattic Inc., which employs some of the core developers for WordPress. "Encrypting credentials isn't an option because the keys have to be stored where the Web server can read them in order to decrypt the data. If a malicious user has access to file system -- like they appeared to have in this case -- it is trivial to obtain the keys and decrypt the information. When you leave the to the door in the lock, does it help to lock the door?"

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.