According to the Eastern European IT security vendor, at the start of last month, its researchers were contacted by several users via the CommunityIQ system that www.theJournal.fr – the online site used by members of the Poitou-Charentes Journal – that the portal had been infected.
In addition, the company noted, the site operator directly contacted its research team to work out why the Avast anti-virus software was blocking visitors from its site which had been purportedly “checked and clean” by an external scanner.
Jan Sirmer, Avast's senior virus lab researcher, said that his team detected similar infections in other WordPress sites.
“The Poitou-Charentes Journal is just one part of a much bigger attack,” said Sirmer, who added that these compromised sites are part of a network that redirected vulnerable users to sites distributing an array of malware.
Sirmer says that his team worked with the site owner to gather more information on how the pages had been compromised and where vulnerable users were being redirected to as they visited the site.
He was able to determine that the source of this infection was a PHP file (UPD.PHP) uploaded through a security vulnerability in Timthumb, an image resizer used by developers to create themes for WordPress sites. It is believed that a hacker compromised the weak login credentials used by the WordPress administrators for the hosting servers’ FTP prior to uploading and executing PHP files.
Sirmer went on to say that the infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market.
“TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security”, he said, adding that his team had registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28–31 – the first three days that this infection surfaced – that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar”, he says in his latest security posting.
Sirmer added that he uncovered and removed several JavaScript infections and a backdoor Trojan on TheJournal.fr site during his investigation. In this instance, he noted, the problem went unnoticed because the site was hosted and managed by a third party.
“The site owner found out about the infection only because visitors to the site running avast! were blocked from visiting the site as part of their protection. “So even if you outsource IT services, it is often a good idea to visit your own blog with an AV that has an active virus scan to make sure that it is not infected or being blocked,” he said. “And, change your FTP passwords, and don’t save them on your PC because this malware is often able to unpack the passwords from the usual FTP clients”, he said.
Sirmer says that WordPress is not immune to exploitation – a fact driven by its overall popularity and the wide number of available versions, but he stressed that this was not a specific issue with WordPress itself, but the result of an outdated program plugin and poor password management by site administrators.
“This issue highlights that simple-to-crack login and password details for the underlying FTP servers can lead to problems. Stronger login and password keys, alone or together with two-factor authentication, are options that system administrator should use when working with third-party IT managers”, he noted.