In the Symantec Intelligence blog we've covered how spammers like to conceal their actual spam sites through elaborate chains of redirects, often involving hacked or compromised sites, URL shortening sites, obfuscation techniques, or combinations of all of these.
We've recently seen spammers exploiting a vulnerability in WordPress, the popular open-source blogging software running on thousands of servers worldwide. Spammers are using the WordPress platform to compromise a Web server, placing a file deep within the WordPress directory structure, presumably in an attempt to avoid (or at least delay) detection. The buried file is a simple HTML page, usually containing text like "Page loading" which is briefly shown before a HTTP “meta refresh” is used to redirect users to the spammer's "Canadian Health&Care Mall" Web site, as shown in figure 1:
<meta http-equiv="refresh" content="0; url=http://[new address to redirect]" />
Note that blogs hosted by WordPress.com seem to be unaffected by these vulnerabilities, it is only older versions of the software downloaded from WordPress.org that appear vulnerable. Symantec Intelligence has not yet been able to identify the specific versions affected, but will continue to update this information via the Symantec Intelligence blog.
Spam emails containing links to these compromised Web sites are also being spammed out.
Figure 1: Pharmacy Web site linked from spam email via a compromised blog
In some cases, the file placed on compromised servers is named as the first few characters of the compromised domain name, with a ".html" extension. In the above example, the compromised domain name started with "mattjo", and the file placed on the server is called "mattj.html".
Later compromises used a randomly generated file name instead. Over a 48-hour period, we saw several thousand unique domains being compromised in this way. It is likely that the only common factor is that these domains were all using a vulnerable version of the blogging platform. A carefully crafted search engine query is perhaps all that is needed by the attackers as a prelude to compromising these Web sites.
This serves as a good reminder of the need to keep all software up-to-date with latest patches and releases. Recent versions of WordPress (2.7 and higher) can be updated semi-automatically as described in this WordPress support article.
UPDATE (27 September 2011):
It was not possible to determine the exact nature of the original compromise and the vulnerabilities being exploited to deposit the .html file onto these vulnerable Web sites, however, many of the compomised sites have since upgraded to the latest version of WordPress (3.2.1). Moreover, there are some sites that are still potentailly vulnerable and are using a variety of older versions of the blogging platform, for example:
<meta name="generator" content="WordPress 2.5.1" />
<meta name="generator" content="WordPress 2.8.2" />
<meta name="generator" content="WordPress 2.9.2" />
<meta name="generator" content="WordPress 3.0.1" />
<meta name="generator" content="WordPress 3.0.5" />
Whilst researching this attack, I found another interesting article, which suggested there were recently problems in a common WordPress theme, rather than in the WordPress platform itself. Although this article was published in August, it's unlikely that this is the vulnerability being exploited in this case; however, the screenshot of the PHP shell that the attackers installed is quite interesting.
I also found another post along a similar theme; interestingly the first post is from August 2011, but there are follow-up posts dating from 6 September 2011. I'd certainly be interested to know if you have exerienced similar problems in recent weeks.