Krebs On Security is reporting on a story that we’re just starting to hear about. It would appear that many users of WordPress are finding that their sites are being redirected, then the new site is attempting to install malware on the visitor’s computer.
From the report:
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
“It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.”
The redirect, and attempted installation is affecting only users of Internet Explorer, as the script is ActiveX, but the concern is that the script’s author could easily convert it to be compatible with other browsers as well.
If you’re one of the unlucky ones affected, here’s a reprint of the solution, posted on the Krebs on Security site:
- Log in to your site at networksolutions.com
- Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to your blog’s URL . For example: “http://example.com/wordpress”.
- Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value.
We’ll be updating as more information becomes available.
Update: As it stands, we’re seeing mainly a grass-roots effort at containing and correcting the issue. Some more information, and a bit of narrowing down can be found in the comments to this article on Sucuri Security.
Network Solutions also has a blog post dedicated to this issue. However, there does not appear to be any new information at this time.