Fake WordPress steals data

Yesterday evening amid the researching the Barack related malware (1, 2) our friends at The Register pointed out an interesting article on Craig Murphy’s blog.

Craig talks about how when he logged in to his  admin account in WordPress he received a “High Risk Vulnerability Warning” from a spoofed WordPress domain. (The last ‘s’ in WordPress.org has been replaced by a ‘z’.) The Warning suggests upgrading to the ‘new’ version 2.6.4 of WordPress.

Downloading this ‘new’ version of WordPress I found that of the 638 files in version 2.6.4, 637 were identical to the same files in the official 2.6.3. The only difference was in the file pluggable.php.


The hacked version of the file pluggable appears to be stealing the content of cookies on larger installations of WordPress. Sophos are now detecting this file as Troj/WPHack-A.

Delving at little deeper, the rogue WordPress site’s WHOIS records show:

Domain ID:D154583784-LROR
Created On:31-Oct-2008 01:59:20 UTC
Last Updated On:31-Oct-2008 19:27:37 UTC
Expiration Date:31-Oct-2009 01:59:20 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Registrant ID:DI_8908485
Registrant Name:Don T. Smith
Registrant Organization:N/A
Registrant Street1:DDDD XXXXXXXX Drive
Registrant Street2:
Registrant Street3:
Registrant City:Fort Myers
Registrant State/Province:Florida
Registrant Postal Code:DDDDD
Registrant Country:US
Registrant Phone:+239.DDDDDDD
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:XXXXXXX@gmail.com

We see our old friend EstDomains who ICANN is in the process of de-accrediting (see letter to EstDomains [pdf]).

Note that the date of this domains registration is three days after this letter!

Update: The Register have now also posted on this issue.