Malware attacks on Wordpress, Joomla and Drupal websites
This month we will divert our attention slightly to the growing problem of malware that has attacked thousands of websites on high profile and very popular web hosts since the middle of April 2010.
The attacks have struck Wordpress, Joomla, Drupal and several other sites that are based on PHP. The malware typically causes visitors to redirect to a fake anti-virus site that downloads malware on the visitors computers. The malware achieves this by injecting a javascript into all PHP files.
Remedies For Users
Anti virus software such as AVG, Avast and others display warnings and prevent the redirection to malware sites.
Remedies to protect Websites
Upgrade to the latest version of the software. It is recommended to keep all your files read only. Although this will cause problems when upgrading, this is known to prevent re-infection.
Views Of GoDaddy Regarding Attacks
This is what a leading web host GoDaddy had to say regarding the attacks: "This is a complex attack with many components. Here is a high-level overview of how they occur:
1. The attacker is coordinating attacks against three different hosting providers for this to work.
* At Hosting Provider ‘A’ – A malicious file is placed on hosting accounts at this provider. No two files have the same name.
* At Hosting Provider ‘B’ – A file is uploaded listing the infected domain names and unique file names from provider ‘A.’
* At Hosting Provider ‘C’ – A malicious “scareware” site is placed on compromised accounts
2. After the attackers put their files in place, they use Hosting Provider ‘B’ to trigger the malicious files on Hosting Provider ‘A.’ When triggered, the malicious file:
* Scans the hosting account for any php file
* Injects malicious content, installing malware that directs to Hosting Provider ‘C’
* Removes any trace of itself from ‘Hosting Provider B’
3. The attack is complete when an infected website receives a visitor. The visitor, if not adequately protected, will have malware installed on their machine.
4. The malware will alert the infected computer to purchase fake anti-virus software, located at Hosting Provider ‘C.’
Go Daddy and many other hosting and security companies are aware of this attack strategy. One point of the attack we are all working to stop is the malicious file from being placed on Hosting Provider ‘A.’"