162,000 WordPress sites Tricked into an Attack

Summarized below is what happened, and what to do.  But!

Do only as Sucuri Security says, not me.
Here’s their instructions.

The Attack

Legitimate WordPress sites were used in a DDoS (distributed denial-of-service) attack against other legitimate WordPress sites. The goal is to create a botnet: harness the power of thousands of blogs, and use it to attack another site and take offline, I don’t know the why.

Sucuri is a malware monitoring and cleanup company. They discovered the attack, when one of their client’s went offline due to a DDoS.

From their site:

The attack uses XML-RPC.

What is XML-RPC

XML-RPC is found in the core of WordPress, and is used to perform a “ping”: when one website notifies another website to say hey, there’s new content to see here.

XML-RPC is used to keep search engines updated, RSS feeds fresh, and news sites current. It’s used to create pingbacks and trackbacks, XML-RPC even helps provide mobile access.

XML-RPC is located in WordPress’ core code, and is by default set to ON.

WordPress’ Dilemma

WordPress is in a tough spot with this one.

It makes sense to set the default to ON, right? Pinging is kinda the nature of the internet. There’s lots of plugins designed specifically to take advantage of pinging.  That’s why you won’t see WordPress issue a patch for this security breach, they kind’ve can’t.

And that’s why this attack is so clever. Dirty, but clever.

In fact, by turning it off, many core plugins will stop working, as will Jetpack…

It’s up to you, and how you run your site, whether to leave it on or off…

How to Check if your Site is Affected 

There are 2 ways:

1. search your logs for “any POST requests to the XML-RPC file. If you see a ping back to a random URL, your site is being misused”. – Sucuri

2. use the scanner Sucuri built, click here.

Your URL will be checked against their logs, to verify if it was 1 of the 162,000 affected sites.

The Defence 

This is where it gets tricky, and why I say to read Sucuri’s full post, and comments, and decide for yourself.

Options include:

1. disable all XML-RPC functionality on your site (core plugins may stop working)

2. add the below code to your theme, it’s a preventative filter:

(click here to copy the actual code)

(I chose option 2)

Important to Know

To add this code, is to go deep into the core code of the website (to “hack core WordPress”), where it’s really easy to type one wrong character and break your entire site.

Happened to KeriBlog.

(this stuff, wow eh. I knew what happened, that it was going to be fixed in a minute, and still I coughed up my heart when I refreshed to find that.)

 

 

The Flashback Trojan is Turning Macs into Zombies

It’s here – the largest EVER Mac trojan has arrived. It’s called Flashback, it’s huge, and if you are running Mac OS X 10.6 you may be affected.

600,000 Macs around the world have been compromised. Statistically, that is a giant botnet.

A botnet: think of it like your computer has been turned into a zombie, and is under someone else’s control. Gather together enough zombies, now you have a botnet army. Most scary of all: you likely wouldn’t even realize you’ve been affected.

What you need to do:

FIRST – check to see if you are vulnerable. If you are running Mac OS X 10.6 you might be. If you are running Mac OS X 10.7 you are likely okay.

SECOND – Let’s check to see if your machine is infected. We’re going to use Terminal to do that, your Mac’s command-line interface.

Open ‘Terminal’.

Don’t be scared if you’ve never used Terminal. You’re going to feel a bit like a hacker, fun!

But – don’t screw around in here, stay focused; a couple wrong keystrokes and you’ll change and alter things you do not want to.

Now you’re looking at a window like this:

Copy and paste this line into Terminal, then hit ‘enter’:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

 

NOT AFFECTED: if it returns this line:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

That’s what you want, “does not exist”

AFFECTED: if it returns anything but. If infected, click here for the remedy. F-Secure is an antivirus and computer security company in Finland. You’re going to download a Java update from Apple here.

Remember the golden rule to avoid problems:

The Golden Rule: If you installed it, update it.

 

We Mac users have enjoyed relatively virus and malware-free living, till now. I blogged about it last year over on KeriBlog, click here for why it’s no longer the case.

Further Reading:

Gizmodo

The Register

The Internet Storm Center

 

UPDATE – April 13 2012

Yesterday, Apple released a fix for the Flashback trojan.

To install it: go up to the apple top left corner, choose “Software Update”, and say yes to installing the Java update that looks like this:

Apple’s official release page is here. I’ve copied some of the text below and bolded the important parts.

This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

I suggested the other day it was good security practice to ensure your computer is NOT set up to “automatically open downloaded files”. Good idea to do that now. Snow Leopard users might have to do this manually.

Remember, nothing is ever 100% with this stuff. Always err on the side of caution.