Very serious: Babloo/Blyat injection attacks on my site
18 06 2009Folks,
I’m seeing what looks like a new type of attack on WordPress-powered websites (including this one), regardless of what version of WordPress is being used. You start seeing spam in the footer, “read more” spam links, and so on, usually tagged as “babloO”/”blyat”; most of these addresses seem to resolve in Russia, but some appear elsewhere. The most obvious version of this is spam posts in the RSS feed and redirects from the homepage of this website to a PDF containing Javascript exploits.
As of this writing (2132UTC, on Thursday, 18 June, 2009), there is no acknowledgement of the issue from WordPress developers, nor any idea how the attack is taking place. While the site is currently showing as clean, if you were redirected to a PDF, or have seen spam posts in your RSS feed, please let me know as soon as you can. If you were redirected to a PDF, please also run a check for viruses and malware on your computer if you are using any version of Adobe Acrobat on any operating system; alternative PDF readers, such as Foxit Reader or Preview.app on Mac OS X are not believed to be vulnerable, but you are encouraged to run a check anyway, if you were redirected to a PDF.
In the interim, I am disabling as many of the plugins as I can, removing widgets and other possible sources of injection attacks, and disabling the creation of accounts. In addition, if by 1200UTC, tomorrow, Friday, 19 June, there is still known infection vector, I will revert the theme.
I apologise for any inconvenience caused to you, and ask you to contact me via a comment if you were hit in any way when using this site.
Categories : meta
