Malicious Hackers were able to retrieve WordPress login credentials. The attacks which started last Friday, infected a large number of WordPress blogs ( running the latest version 2.9.2) getting infected with malware.
David Dede, a researcher at Sucuri Security Labs, figured out that fully-patched WordPress blogs actually stores the database credentials in plain text, making it an easy target to hack. Here’s the explanation:
- WordPress stores the database credentials in plain-text at the wp-config.php file.
- This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
- A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
- This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
- Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
Most Network Solution blogs were hacked and Network Solution has fix this Issue.
We have a fix in place for the Word Press issue that has affected some customers who are using Word Press. Three points to note:
- The root cause for this issue has been addressed.
Impacted sites have been fixed, no action needed by the customers(but note below)Although most sites have been fixed, a few customers have contacted us with some functionality issues. if you need help see contact info below.As part of the resolution, we have had to change database passwords for WordPress. Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes.
As a precaution, we’re also recommending that all customers using WordPress should log into their account to change their administrative passwords. Also review all the administrative access accounts and delete those that you do not recognize. If you feel you are still experiencing issues and need help please contact us at Listen <at> NetworkSolutions.com
This problem can happen to any website hosted on any host. As WordPress storing Database credentials in simple plain text file,this helped attackers to retrieve database credentials. WordPress should install it securely by default. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.
