Exclusive: WordPress exploit explained

As Neowin reported earlier this week, WordPress blogs were compromised on what was originally thought to be GoDaddy servers.  Neowin spoke exclusively with Todd Redfoot, a security expert at GoDaddy, who explained the exploit.

GoDaddy reassures customers that the attack was via WordPress and not an attack on the GoDaddy servers themselves.  The coordinated attack on WordPress was formed in a botnet-like attack, which targeted outdated versions of WordPress, however, the exploit was not found in version 2.9.2.  Reports indicate that GoDaddy was not the only hosting company to be attacked, even including the US Treasury website.

In some instances, users not running WordPress were also hacked, but did have an active or inactive WordPress installation on their account.  In as many cases, users were unaware that an installation of WordPress was present on their account.

The attacker, or attackers launched a coordinated attack on outdated versions of WordPress, adding lines of code to users' webpages.  The attack was first spotted in the early morning on May 1, 2010, when users files were compromised. 

Out of the 4 million GoDaddy users, “very few” were compromised.  The exploited accounts were all located on shared hosting servers.  Redfoot confirmed that they are currently performing their own investigation into the attacks.

Concerned GoDaddy users are urged to upgrade their WordPress blogs to version 2.9.2.  If users have been compromised, or fear they have been, they are asked to follow these step-by-step instructions to fix the issue.

If users need help determining if they're site has been affected by the malware, They can submit their domain to GoDaddy's Security Submission Form: www.godaddy.com/securityissue

Report a problem with article
Previous Story

T-Mobile announces MyTouch 3G slide

Next Story

US Treasury websites hacked

24 Comments - Add comment