The attacks, which started last Friday, occurred mostly on WordPress blogs hosted by Network Solutions but it appears that there are multiple security weaknesses in play.
David Dede, a researcher at Sucuri Security Labs, figured out that fully-patched WordPress blogs actually stores the database credentials in plain text, making it an easy target to hack.
- WordPress stores the database credentials in plain-text at the wp-config.php file.
- This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
- A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
- This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
- Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
Network Solutions have since implemented a fix on their end but added a caveat:
As part of the resolution, we have had to change database passwords for WordPress. Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes.
As a precaution, we’re also recommending that all customers using WordPress should log into their account to change their administrative passwords. Also review all the administrative access accounts and delete those that you do not recognize.