Update: WP developers are looking into this now . . .

The current version of WordPress (also 2.1-2.3.1 verified so far) is apparently vulnerable to an HTML-tainting attack. I first noticed it on this blog in the next-to-top post. I've actually been on a vacation of sorts, but I monitor changes to my web site carefully. WordPress.org has been notified, but I feel that releasing only the existence of the potential vulnerability is ethical. I have also created a a tool to audit for this attack (see "How Do You Know If You're Affected?" below). Others' equity is at stake here as well!

Though I don't know the exact mechanism yet, I have some ideas based on my logs, and I have a high degree of confidence it's WordPress-specific hack (or perhaps a very popular plug-in) for the following reasons:

0. The links are clearly pathological and deliberately concealed visually using CSS.
1. All exploited sites are running WordPress.
2. The sites are on various shared-hosting and dedicated-hosting in various places around the internet (it's not a particular hosting company).
3. The HTML-tainting appears in the actual database record (at least in my case) for the post; and that's not generally the easiest approach for this sort of attack.

Example HTML Insertion Attack:

<div id="mnu1″ style="overflow: auto; position: absolute; z-index:
 1; left: -500px; text-indent: -500px; width: 600px; text-align:left">
Where <a href="http://www.adshelper.com/">
download mp3 music</a>? It's ;obvious.<br /> Fast downloads& and super high quality… ;<br />Try to guess, what's the best site to <a href="http://www.my-movie-download.com/">
download movies</a>? Yes, that's right.<br /> I 
recently downloaded few films with super high quality.
</div>

The outbound links appear to point to the following domains:
ADSHELPER.COM (WHOIS RECORD NOT PRIVATE)
SOFTICANA.COM (WHOIS RECORD PRIVATE; GODADDY; TO INFORM GODADDY OF SPAM USE THIS LINK)

How Do You Know If You're Affected?

I'm writing a quick-and-dirty WordPress plugin to scan your blog for the signature of the HTML-tainting. Install it. It will email you with the affected post IDs if you've been hit (Note: IT SHOULD WORK NOW …).

What Can We Learn From this?

The Domain and URL have an equity, and black hatters are always looking for a way to exploit that. One must be vigilant to protect this equity by monitoring for attacks like this, as it can be particularly harmful to your rankings as well. HTML insertion attacks in general are also documented in my book:

Search Engine Optimization with PHP

I have a high degree of confidence that this individual is involved: this guy. He has been on DigitalPoint forums. More information about him is located here.

Affected WordPress Versions

2.1-2.3.1

Prominent Affected Sites

via http://siteexplorer.search.yahoo.com/search?
p=http%3A%2F%2Fwww.adshelper.com&bwm=i&bwms=p&bwmf=u&fr=yfp-t-471&fr2=seo-rd-se

http://warpspire.com/hemingway : WordPress 2.3-alpha
http://www.cartoonbrew.com/ : WordPress 2.1
http://www.powazek.com/ : WordPress 2.2
http://www.freekareem.org/ : WordPress 2.2.1
http://www.smallbiztrends.com/ : WordPress 2.2.1
http://blog.modernmechanix.com/ : WordPress 2.1.2
http://www.bittbox.com/ : WordPress 2.2.1
http://www.ethanzuckerman.com/blog/ : WordPress 2.2.1
http://www.tjcenter.org/ : WordPress 2.1.2
http://www.cato-at-liberty.org/ : Signature Removed
http://www.smstextnews.com/ : WordPress 2.1.3
http://blog.ianbicking.org/ : WordPress 2.2.1
http://www.searchviews.com/ : WordPress 2.2
http://www.dreammanifesto.com/ : WordPress 2.3.1

via http://siteexplorer.search.yahoo.com/advsearch?p=http%3A%2F%2Fsofticana.com&bwm=i&bwmf=a&bwms=p

http://www.zeldman.com/ : Signature Removed
http://www.mysqlperformanceblog.com/ : WordPress 2.3.1
http://blog.oup.com/ : WordPress 2.2
http://weblog.philringnalda.com/ : WordPress 2.3.1
http://blog.everythingflex.com/ : WordPress 2.1.3
http://www.darfur-awareness.org/ : WordPress 2.2

Tell an amigo:
  • Sphinn
  • Digg
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Facebook



Related posts:
Stop Hackers With Our WordPress Firewall Plugin v1.2 Getting hacked is a total bummer, right? Right. But...
SEO-Related Apache Exploit Most deployed versions of Apache are potentially exploitable, as mod_rewrite...