0 SHARES Facebook Twitter

Since yesterday we are seeing a large number of WordPress blogs (running the latest version 2.9.2) getting infected with malware. None of them are using the same plugins or the same themes. Some of them even have wp-admin access blocked to only a few IPs and via htpasswd password. The only similarity between them is that they are all shared hosts at Network Solutions.

Some of our clients spoke with Network Solutions and they confirmed that all their WordPress sites are having issues, but their servers are clean (are they?).

What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing is does is to modify your “siteurl” inside the “wp-option” table to point to http://networkads.net/grep/, breaking the site layout completely.

That’s how it looks like in the database:

(2, 0, ‘siteurl’, ‘ ‘, ‘yes’),

The only way for the database to be modified like that is via SQL injection or a bigger problem inside Network Solutions databases.

Anyone else having this issue? If you are, let us know about it.

*To fix this issue, just revert your siteurl back to the previous value. Log in to your control panel, go to manage database, and edit the siteurl value on the wp-option table.

**If you need help cleaning this up, send us an email dd@sucuri.net

Update 1: More Network solution users affected:

Same thing — some HTML inserted into the siteurl field in the wp_options table, and I can’t get to my login page. I hadn’t upgraded to 2.9.2 yet, and the site’s not using SimplePress forum. So it’s not just 2.9.2 that is affected, if that helps at all.

And here:

My site njnnetwork.com got hacked yesterday morning. After a series of non-productive tasks all day, Network Solutions admitted they have been hacked on many WordPress sites.

Here as well:

They changed my wp-options siteurl to be an iframe pointing to networkads.net/grep The site was not loading correctly so I was able to find this in phpmyadmin. I have had a rash of hacks lately and talked to Network Solutions (my host) They tell me all of their wordpress sites are getting banged up, but their servers are clean.

And many more at the WordPress forums.