iframe element to the page in order to load further malicious content from a remote site.
As you can see, the injected scripts are polymorphic and heavily obfuscated, one of the common tricks used by hackers in an attempt to evade detection. Regardless of the obfuscation, Sophos products generically block the malicious scripts as Mal/JSIfrLd-A.
Looking at a number of the affected sites, it was quickly apparent that they shared a common link – they all seemed to be running WordPress. Ahah, the root cause? After all, WordPress injection attacks are pretty commonplace, and something all site admins should be aware of.
In typical WordPress injection attacks, the database ends up “peppered” with malicious HTML (typically an
script element to load other remote content) such that the web pages users view when browsing the site contain that malicious code. In this latest attack however, things are a little more complex.
So, is WordPress really the relevant link between the affected sites? Or is that just coincidence? Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600. When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider! Couple this with the fact that several different WordPress versions are being used by the affected sites (including the latest version in some cases) and I think the finger of blame should perhaps be pointing somewhere other than WordPress.
Digging further, it would appear that the hosting provider in question is no stranger to site hacks, as official posts on their company blog testify. In such cases it is imperative that in addition to cleaning up affected sites, the target of the attack is identified (be it a vulnerable server, web application or otherwise). Only then can any vulnerabilities or insecurities be closed, to prevent future similar attacks.
As a footnote, whilst security may not be your top priority when choosing a hosting provider, it should be pretty high up the list. Assume that all servers, sites and web applications will be attacked. Assume that some of these attacks will succeed. What you want to know is how your provider will respond – from clean up to hardening against future attacks.