WordPress-based websites have once again become the target of attacks. This time around, the hacked websites are hosted by various ISPs: DreamHost, GoDaddy, Media Temple and Bluehost, and there are also rumors floating around that other PHP-based platforms could also have been affected.
The H Security reports that it is still unknown which security hole has been exploited to launch the attack, which infects the websites with malicious scripts that allow fake AV to be installed on the systems of people who visit the sites in question. To avoid detection, the malware prevents some browsers (Firefox and Google Chrome) from alerting potential visitors about the malicious nature of the website.
Speculations about the possible invulnerability of the sites running the latest version of WordPress have been shot down by David Dede at Sucuri Security‘s blog, who offers a few likely theories about how the sites were compromised:
- Stolen FTP/WP password
- Bug on WordPress
- Bug on some WordPress plugin
- Brute force attack against the passwords.
He also offers a simple cleanup solution for the owners of infected websites.
A similar attack has been detected today on websites hosted by Go Daddy. WPSecurityLock has received a statement from the IPS, in which it says that “they have identified and are working with the provider and hosting company from where the attacks are originating” and that they are “close to breaking additional details related to recent malware attacks.”