Loading

Alert: WordPress Blog & Network Solutions

by Susan Wade on April 9, 2010

Subscribe

Tags : ...

Categories : Uncategorized




Update : Please see the updated posts on the issue :

http://blog.networksolutions.com/2010/update-for-word-press-customers

http://blog.networksolutions.com/2010/update-word-press-issue-fixed/

Update: Saturday 04/10/2010 5 p.m ( Shashi Bellamkonda)

The  File permissions we had recommended  was causing more questions and confusion.  Our support team recommends 640 for wp-config  file.

We have been comparing  notes and talking to several customers and WordPress developers including Mark Jaquith Lead Developer of WordPress and David Dede of sucuri.net.

Mark Jaquith’s  good rule of thumb is “the most restrictive permissions that still work.” File permissions vary from server setup to server setup, Generally, “644″ is recommended for wp-config.php. For public_html, it is usually 755.

David Dede explains  some techniques to fix and revert a hacked web site if you are an expert yourself:

http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
http://blog.sucuri.net/2010/03/removing-malware-from-web-site-case.html

Added a few more links to the resources below:

 

Folks,

We’ve been following the discussions in the WordPress community and there is an issue hitting sites using WordPress, right now, even those that are running the latest most up to date version (2.9.2). See this post on http://techcocktail.com/home/2010/04/08/wordpress-hacked-virus-cloaks-search-engines/.

According to Tech Cocktail, “The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities.”  The WordPress experts we are working with have seen that as well.

Precautions you should take if you’re using WordPress:

1. Change your WordPress administrative password immediately;
2. Review the list of WordPress users who have access to your account and delete any users you do not recognize;
3. Update your WordPress account to the most recent version that Network Solutions offers;
4. Run your security and malware system scans on all computers that are used to access your WordPress account;
5. Please ensure all sites public_html (or your www) directory have 750 permissions, not the less secure 755; See update above
6. Change the password for your mySql user and update wp-config. You can recreate the same user with an updated password; and
7. Double check in settings writing that XML-RPC is turned off and maybe as an extra precaution disable/move/delete xmlrpc.php.

What to do if your site has been impacted:

You’ll need to clean up your site and here are some links from WordPress that may help you get your site cleaned.

http://codex.wordpress.org/Hardening_WordPress

http://wordpress.org/support/topic/385477/

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/
And when you’re done:
http://codex.wordpress.org/Hardening_WordPress

Network Solutions Customers:

Although this issue is not with our hosting servers, we can help you clean this issue up and restore your site to a previous backup. However, this may not guarantee that the issue will not occur again. We are working with the WordPress community and affected Network Solutions customers to help determine which WordPress theme or plugin that may be causing this issue and we will update this post as we learn more.

We continue to look out for our customers and our security team is reviewing logs to determine which WordPress instance or plugin may need to be fixed. We have also been working with experts in the WordPress community on this issue.

If you are a Network Solutions customer and have further issues or questions, please contact us at  listen@networksolutions.com.

Find us on Facebook and follow us on Twitter for more posts like this!

Brought to you by Network Solutions®

Related Posts

    • http://twitter.com/Skitzzo Ben Cook

      Also of note: Network Solutions is working with the WordPress team to help sort out this issue.

      As I reported earlier in the week on my personal blog, there have been several hosting companies hit with this or similar hacks targeting WordPress so there are definitely a lot of resources being dedicated to finding & fixing any vulnerabilities out there.

    • rgbroitman

      Thanks Susan…helpful information…one step (I”m sure simple) I'm not sure how to do: Please ensure all sites public_html (or your www) directory have 750 permissions, not the less secure 755?

    • Emerson

      Good to hear this isn't a security problem with Network Solutions! Looking forward to hearing an explanation about which line of code is causing this!

    • http://wp-popular.com/popular-word-press-websites/alert-wordpress-blog-network-solutions-small-business-conversations-by-network-solutions/ wp-popular.com » Blog Archive » Alert: WordPress Blog & Network Solutions | Small Business Conversations by Network Solutions

      [...] Read the rest here: Alert: WordPress Blog & Network Solutions | Small Business Conversations by Network Solutions [...]

    • http://timani.net/2010/04/10/wordpress-blogs-getting-hacked-no-fix-as-of-yet/ Wordpress blogs getting HACKED! no fix as of yet? | Timani

      [...] seems in this case the deeper rooted problem is not actually a poorly configurd ISP and as a result Network Solutions were prompted to make this announcement on April 9th [...]

    • DuneSandChigger

      “6. Change the password for your mySql user and update wp-config.”

      And just how the hell are you supposed to do that? I logged in at NetSol and tried to change the password but it wouldn't go through. Got a half-literate warning message about the user name having to be so many characters long, not contain any blah-blah, etc. Which made ZERO sense because I hadn't tried to change the user name. (Just to be sure, I did try changing it and still nothing happened.)

      If I can't edit that information for the database using the link purportedly FOR that purpose, how do I do it? I've chmoded the wp-config file to 750, but since the hackers already have my database details, if I can't change them, what effing good did it do me?

      I have two blogs on my site and this is the second time I've been hit since Thursday. I know how to fix it pretty quickly now, but it's a pain in the ass.

    • http://twitter.com/OfficeDivvy Office Divvy ™

      ..we're very concerned with this issue. Network Solutions technical support provided different information than what's listed here. Our WP Admin pages on our blogs are not accessible; and restoring the site to April 7 did not solve the problem.

    • http://www.networksolutions.com/small-business/getting-online.jsp Network Solutions

      Thanks for your feedback. we made some changes to the post to address the file permissions.

    • http://www.networksolutions.com/small-business/getting-online.jsp Network Solutions

      if you are still having an issue pls send us an email listen at network solutions .com Thanks

    • http://blog.trendmicro.com/wordpress-blogs-suffer-mass-compromise/ WordPress Blogs Suffer Mass Compromise | Trend Micro | Malware Blog

      [...] is being carried out. However, many of the affected blogs were hosted on Network Solutions, which stated on their own blog that they are aware of the issue. In addition, Network Solutions stated that they were [...]

    • http://www.virusdb.info/wordpress-blogs-suffer-mass-compromise WordPress Blogs Suffer Mass Compromise – VirusDB.INFO

      [...] the affected &#98logs were hosted o&#110 Netw&#111&#114k S&#111lut&#105&#111ns, &#119&#104ic&#104 s&#116a&#116&#101d o&#110 &#116&#104&#101ir o&#119&#110 blog that th&#101y ar&#101 awar&#101 of th&#101 &#105ssu&#101. &#73n add&#105t&#105on, Network [...]

    • http://ultimosavances.com/ataque-masivo-de-malware-a-blogs-wordpress/ Ataque masivo de malware a blogs Wordpress | Ultimos Avances

      [...] Vía | DownloadSquad Más información | Sucuri Safety Labs | Trend Micro | Network Solutions [...]

    • http://tengotecno.com/2010/04/12/ataque-masivo-de-malware-a-blogs-wordpress/ Ataque masivo de malware a blogs Wordpress | TengoTecno.com

      [...] Vía | DownloadSquad Más información | Sucuri Safety Labs | Trend Micro | Network Solutions [...]

    • http://www.schieldenver.com/ Book Publishers

      Thank you for addressing this issue, we've just ensured our sites have 750 permissions…

    • http://www.dougweb.com/doug/2010/04/alert-wordpress-blog-network-solutions-small-business-conversations-by-network-solutions/ Alert: WordPress Blog & Network Solutions | Small Business Conversations by Network Solutions | Faster, better…

      [...] via Alert: WordPress Blog & Network Solutions | Small Business Conversations by Network Solutions. [...]

    • http://www.conexiongeek.com/2010/04/ataques-masivos-a-blog-de-wordpress.html Ataques masivos a blog de Wordpress | Conexion Geek

      [...] | DownloadSquad Más información | Sucuri Safety Labs | Trend Micro | Network Solutions Si te ha gustado este artículo [...]

    • http://www.virusdb.info/wordpress-blogs-suffer-from-a-mass-compromise WordPress Blogs Suffer from a Mass Compromise – VirusDB.INFO

      [...] blog&#115 w&#101r&#101 ho&#115t&#101d on Network &#83ol&#117tions, &#119hich stated &#111n &#105ts &#111&#119n bl&#111g &#116ha&#116 i&#116 is awar&#101 o&#102 &#116h&#101 issu&#101. In addi&#116ion, N&#101&#116work [...]

    • http://www.bdebloggers.com/2010/04/13/ataque-malware-cientos-blogs-wordpress.html Ataque de malware a cientos de blogs de Wordpress

      [...] Más información | Blog de Network Solutions [...]

    • http://beafraid.com/2010/04/13/unplanned-maintenance/ beafraid.com » unplanned maintenance

      [...] story, Trend Micro Coverage, Network Solutions things and [...]

    • http://www.pankajpandey.com Pankaj

      “According to Tech Cocktail, “The virus somehow infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities.”

      Tech cocktail blog is still infected. here are my input to fix this issue.

      1:change wp-config permission

      2:clean your theme file. you can check any extra file on theme fo;der like funx.php, sone random file without any extantion. clear your footer and header any suspicious code. clean your cookies and check site again. i used avast home addition that work well to me to find issues, if you have still problem with site go to step 3

      3: deactivate all plugin-clear cookies test site again. if fixed enable plugins one by one clear cookies and test.

      4: remove infected plugins.

      Clearing cookies is required because this infection is creating a cookies base redirect. one you visit the site that will show your website is ok on your end bit that will show error on others end.

      I hope this help someone.

      contact me if any one need more assistance.

    • http://www.appsolve.com Steven Fisher

      Thanks for the input and letting us know. We will look into this and pass this along to them.

    • http://www.appsolve.com Steven Fisher

      Jodi,

      Thanks for the comment and we are working hard to let people know of the changes required. If you need anything please feel free to reach out at listen@networksolutions.com or contact our customer support line.

    • http://www.wptavern.com Jeffro

      Oh boy, now Network Solutions says this was not an issue with their servers but the blog post on the official WordPress development blog hints otherwise.

      http://wordpress.org/development/2010/04/file-p…

    • shawn_09qn7

      so as I understand it, shared hosting customers at N.S. can all read each others files (644 or less security), *and* the person who made this attack is an N.S. hosting customer, yet N.S. didn't have sufficient logs, monitoring (security) so as to identify the attacker and suspend/delete the account after the first offense.

      and this is the same N.S. that was one of the very first Domain name registrars and to this day is responsible for guarding Domain name ownership for a pretty good market share of registered domain names.

    • http://www.amenito.com/ataque-intensivo-de-malware-a-blogs-de-wordpress/ Ataque intensivo de malware a blogs de Wordpress | Noticias de Tecnologia

      [...] sobre estos ataques masivos a blogs, entonces tendrás que hacer un clic sobre Sucuri Safety Labs o Network Solutions. Etiquetas: Ataque de [...]

    • http://www.toolkit.com.br/2010/04/15/matt-mullenweg-fala-sobre-hackeamento-do-wordpress-na-network-solutions/ Matt Mullenweg fala sobre hackeamento do Wordpress na Network Solutions | Toolkit
    • http://zerostrategist.com/got-wordpress-dont-use-network-solutions-web-hosting/ Zero Strategist – Holistic Social Media, Web Strategy & Innovative Design

      [...] Network Solutions Blog – Alert: WordPress Blog & Network Solutions [...]

    • Serriously?

      @shawn_09qn7 Yep you understand that correctly… and that is why I don't host with them now!

    • camu

      IT IS a security problem with NS! These clowns were blaming WordPress for something they are responsible for!

    • http://www.pankajpandey.com/2010/04/network-solutions-hosting-issue-or-wordpress-security-flaw/ Pankaj Pandey

      Network Solutions hosting issue or WordPress Security Flaw…

      My one of client is victim of this mass hack on network solution hosted blog. I am going to share some interesting fact about this vulnerability story. Malware was Found! when our client contacted to Network Solution support tell them to buy SSL as you…

    • http://www.esin.com Gazete Oku

      Hi, thank you very much. good job.
      Gazete Oku

    • http://www.sti-cs.com Parker

      “Although this issue is not with our hosting servers” http://blog.sucuri.net/ is infected

      i uploaded a php file on root. deleted htaccess file when try to access that php file in browser. that is showing virus warning. It means server is redirecting every request to infected site. i am not able to connect ftp. when i connect my site via filemanager i found a file there called sitemap.php and file author is root have malicious code. This is very frustrating i loosed control of site. created a ticket. got a reply call NS to fix this issue. when call that is on waiting only.

    • http://blog.trendmicro.es/los-blogs-de-wordpress-son-victimas-de-un-robo-de-datos-masivo/ Los blogs de WordPress son víctimas de un robo de datos masivo » blog.trendmicro.es

      [...] obstante, que muchos de los blogs afectados estaban alojados en Network Solutions, compañía que afirmaba en su propio blog estar al corriente del problema. Por este motivo, Network Solutions se dedicó a realizar las [...]

    • http://www.v-nessa.net/2010/04/22/wordpress-thinks-network-solutions-is-stupid v-nessa.net » Post Archive » Wordpress Thinks Network Solutions is Stupid

      [...] You apparently blame WordPress. [...]

    • http://www.priorityinspectionsinc.com/?p=1 We Are Under Construction……
    • http://googlesnipersystempro.com Google Sniper System

      i think again for not installing itself securely by default. At the users for not securing their blogs!

    • http://www.ceilers-news.de/serendipity/26-Drive-by-Infektionen-So-kommt-der-Schadcode-auf-den-Server.html Dipl.-Inform. Carsten Eilers

      Drive-by-Infektionen: So kommt der Schadcode auf den Server…

      Schadcode für Drive-by-Infektionen kann außer durch die in der vorigen Folge beschriebenen SQL-Injection-Angriffe auch auf vielen weiteren Wegen in eine harmlose Website eingeschleust werden. So wurde z.B. auch schon die Suchmaschinenopt…

    • http://www.linux-backtrack.com/2011/01/wtf-top-10-chez-trend-micro/ WTF : Top 10 chez Trend Micro… | Linux-backtrack.com

      [...] significatif. Mais le nommer parce que quelques hébergeurs pas à jour se seraient fait pwner leur plate-forme de blogging, c’est un peu fort de café. Quand bien même ces compromissions auraient servi à diffuser [...]

    Previous post:

    Next post:

    Solutions are Power

    Solutions Are Power is the primary blog for Network Solutions. Started in 2008, it is focused on providing new and current customers with the most relevant and compelling information on building their online business.



    Network Solutions

    At Network Solutions®, we focus on helping small businesses start and market their businesses on the Web, enabling them to realize their dreams of self-reliance, entrepreneurship, creativity, and financial independence. We pioneered the service for creating and acquiring specific "web addresses" (known as domain name registration), and today offer a full range of Web-related services. In addition to domain name registration, we offer Web site design and hosting, e-commerce solutions, online security products, and search engine marketing and optimization. You can find us on the web at www.networksolutions.com.


    Get more small business resources from Network Solutions
    © 2008-2009 Network Solutions, Inc.
    All Rights Reserved.
    Powered by WordPress


    Small Business Community

    Network Solutions® understands and appreciates what life is like for the small business owner "their challenges, questions, and concerns" and has developed a host of resources that forms our small business community. This includes blogs like Solutions Are Power, Grow Smart Business, Unintentional Entrepreneur and Women Grow Business.

    We also provide resources for connecting small business owners like our networking site, MySolutionsSpot.com and our web developer community, LinkTogether to support small businesses in every aspect of their business.