Large US hosting provider hit in web attack

Over the past few weeks, we have been seeing a whole mix of legitimate web sites serving up a specific malicious JavaScript. When innocent users browse these sites, the injected JavaScript adds an iframe element to the page in order to load further malicious content from a remote site.

As you can see, the injected scripts are polymorphic and heavily obfuscated, one of the common tricks used by hackers in an attempt to evade detection. Regardless of the obfuscation, Sophos products generically block the malicious scripts as Mal/JSIfrLd-A.

Looking at a number of the affected sites, it was quickly apparent that they shared a common link – they all seemed to be running WordPress. Ahah, the root cause? After all, WordPress injection attacks are pretty commonplace, and something all site admins should be aware of.

In typical WordPress injection attacks, the database ends up “peppered” with malicious HTML (typically an iframe or script element to load other remote content) such that the web pages users view when browsing the site contain that malicious code. In this latest attack however, things are a little more complex.

Firstly, one or more files containing malicious JavaScript are added to the site, within an existing folder using a .php filename, for example:


Then a legitimate JavaScript file that is already used by the site is modified to include a call to the above file(s). For example, the hacked jQuery script found on one of the victim sites is shown below. You can see the malicious code that has been added to the beginning of the file, which will attempt to load five malicious scripts that have been added to the site.

So, is WordPress really the relevant link between the affected sites? Or is that just coincidence? Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600. When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider! Couple this with the fact that several different WordPress versions are being used by the affected sites (including the latest version in some cases) and I think the finger of blame should perhaps be pointing somewhere other than WordPress.

Digging further, it would appear that the hosting provider in question is no stranger to site hacks, as official posts on their company blog testify. In such cases it is imperative that in addition to cleaning up affected sites, the target of the attack is identified (be it a vulnerable server, web application or otherwise). Only then can any vulnerabilities or insecurities be closed, to prevent future similar attacks.

As a footnote, whilst security may not be your top priority when choosing a hosting provider, it should be pretty high up the list. Assume that all servers, sites and web applications will be attacked. Assume that some of these attacks will succeed. What you want to know is how your provider will respond – from clean up to hardening against future attacks.