Over hundreds of WordPress blogs hosted on shared servers were attacked by malicious code injected into their pages. A detailed analysis of the affected sites uncovered instructions to hide the attack from Google’s web crawler.
The obfuscated JavaScript code injected into the footer.php script was first spotted on blogs hosted at Dreamhost. “The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places,” Sucuri Security Labs, a provider of web integrity monitoring services, announced on Friday.
This malicious injected code redirects visitor to a scareware landing page, which displays a fake antivirus scan. The FAKEAV variant distributed via this attack is detected by 24 out of the 41 antivirus engines on VirusTotal.
There is still no clear information regarding the method of attack in this case. Go Daddy seems to put the blame on outdated versions of the applications. “The bottom line resolution is to be sure you have the most up-to-date versions of your applications within your entire hosting account,” Todd Redfoot, chief information security officer at the hosting provider, told WPSecurityLock.
Security experts say the stolen FTP or blog admin passwords, a vulnerability in the WordPress blogging platform or a bug in a popular WordPress plug-in are valid possibilities.
the landing page practices really are a a ongoing test. ;-P