burkestar

Official Network Solutions response. Glad to see they’re working hard to solve this.

“From what we can determine at this time, the changes look like they were made by a user with admin credentials to your WordPress blog. This could be an issue with the WordPress installation or a WordPress plugins on the site. This is not an issue on our web hosting servers”

Network Solutions could prove their competence by looking at the MySQL server logs (SNMP?) for all affected customers, identify the SQL UPDATE command that infected the siteurl value, find which process or host issued the SQL command and work backwards to find the backdoor. Once found, all affected customers (not just those with open tickets) would be informed by email to the incident and the resolution and educate everyone how to prevent future attacks. I’m shocked that logging and database backups aren’t enabled by default….security is just an afterthought.

Based on the repetition of the attack, I believe a cron job (either Linux’s crontab feature or using the wp_cron functionality) is responsible and automates the re-infection on a schedule.

Only time will tell…

@samboll – you are right, this fixes the symptoms but not the underlying cause which after several hours digging through your links (many thanks) I was not able to uncover.

I am NOT using simplepress plugin. Try harder…that’s not the common backdoor.

I should add that I also did these steps:

1. Disable XML-RPC functionality which is a moderately likely attack vector, but I’m not convinced
2. configured the “secret keys” feature that adds password salting to make brute force attacks by guessing weak passwords MUCH, MUCH harder…although this is unlikely attack vector
3. I used the WordPress Exploit Scanner plugin to search all source and theme files for “eval()” and “base64_decode” related backdoors. The podPress plugin has a lot of false positives and nothing appeared malicious.
4. I searched database tables for “base64_decode” and “edoced_46esab”…no results
5. setup an email alert using ChangeDetection.com that will alert me daily if the site’s content changes. I can safely ignore changes from new posts, but the intent is to automate capturing these iframe / cross-site-scripting attacks so we can recover zero day.

Bottomline – I believe Network Solutions’ database server farm is infected thus allowing the intruder to touch all MySQL hosted databases powering WordPress and change the siteurl value.

I contacted Network Solutions and they do NOT provide Intrusion Detection/Prevention Services or any means to monitor your FTP file space for file modifications. I’m seriously considering moving our site BACK to our corporate servers for the added control as the benefits of outsourcing the hosting no longer seems worth it.

Yes, I was attacked as well after upgrading to WP 2.9.2 yesterday on Network Solutions.

How I resolved it:

1. Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to be your blog’s URL like “https://example.com/wordpress”.
2. Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value)

Make sure to backup your database using Network Solution’s admin console and enable the daily automated backups.