We’ve recently seen a spate of WordPress attacks, targeting older, insecure versions of the software, it’s plugins and it’s themes. The payload to these attacks was the installation of two malicious plugins, showing up in your ./wp-content/plugins/ directory as “tell-a-friend” and “likebtn-like-button”. These two plugins are directly related to each other.
Other tell tale signs of infection is the presence of “/usr/bin/host” running in the output of a “ps aux” command from the Linux command line, usually eating up a lot of CPU cycles. This part of the worm does all the leg work, and has been observed performing WordPress brute-force attacks for propagation purposes, as well as participating in DDoS attacks against various targets. If you see any of the things mentioned above, it’s likely that a WordPress site on your server has been infected by this worm.
We recommend that you update your WordPress core, themes and plugin as soon as possible to be sure that you’re not vulnerable.
There is a fairly comprehensive break-down of the worm in this off-site blog post. If you have any questions regarding this post, please don’t hesitate to get in touch with our support team. Please accept our apologies if this incident report is not relevant to the service(s) that you have with us.
For more information on how to update your WordPress site, call 0113 322 1490 or get it touch with us via the contact form below.