Over the past month or so, there have been a series of ongoing compromises which have been interchangeably blamed on WordPress, Network Solutions, or GoDaddy. However, the attacks are occurring on many other hosts as well, including:

1 & 1
DreamHost
In2Net
Hostway
Media Temple
ServerBeach

and several others. While many of the compromised sites are using WordPress, some are not.

The two main attacks are: (1) the Google / WordPress pharma attacks and (2) the Grepad.com family of attacks that netted Network Solutions hosted sites, some U.S. Treasury sites, and many, many popular niche 'mom and pop' style sites.

Google / WordPress Pharma Hacks

In the Google / WordPress pharma attack, the attackers are targeting popular Web pages and modifying the title tag of those pages to include a pharmaceutical sales pitch. Searches that would normally cause the legitimate site to appear in search engine results pages (SERPs) will also include the manipulated title tag. The link itself still points to the legitimate site, but modifications on the compromised site will cause an automatic redirect to the pharmaceutical site.

Note that many of the sites that appear in Google SERPs for these title tags are not necessarily compromised. Quite often, blog and forum comments will adopt the title tag of the post and spammers are using these same tags. For those that are compromised, currently the redirect points to "thepharmacydiscount.com/group/bestsellers.html?said=compromised.com" where compromised.com equals the name of the legitimate (but compromised site) that is delivering the redirect.

The point behind the Google / WordPress pharma attacks is to leverage the popularity ranking of the compromised sites, which boosts the SERPs ranking for the pharma keywords used.

Grepad.com Attacks

The intent of the Grepad.com family of attacks is not to gain favorable placement in SERPs to peddle counterfeit viagra, but rather to download malware to the site visitors' PCs. Pages on the compromised websites are embedded with hidden iframes that load content from the malware domain. Multiple malware domains have been used in these attacks, including grepad.com, ginopost.com, bigcorpads.com, binglbalts.com, corpadsinc.com, hugeadsorg.com, mainnetsoll.com  and networkads.net. Exploits of multiple vulnerabilities are attemped in order to download this malware. A list of observed exploits can be found in this blog post.

Commonalities Between Attacks

In both sets of attacks, the attackers are filtering based on whether the clickthrough to the site is human or a search spider. In the pharma attacks, the malformed title is only presented to search spiders and the redirect only occurs if you click the link from SERPs. If you visit the site directly, by typing in the URL or from a non-SERPs link on another site, the legitimate page will load normally.

The exact opposite is true with the Grepad.com family of attacks. In these cases, the filters suppress the compromise so that search spiders don't see the embedded iframe. If the link is accessed directly (or via a link from a non-search engine), then the iframe will be rendered. However, the attackers also drop a cookie when visitors hit a compromised page and suppress the iframe on subsequent visits.

Filtering is also being done by IP address ranges, operating system, and user_agent to determine when the embedded iframe (or pharma redirect) will occur.

The Million Dollar Question: How?

The why is easy to answer: attackers want to make money. The how is a bit more cloudy.

It appears the attacker is able to read wp-config.php which by necessity contains plaintext credentials for the WordPress database. Normally, wp-config.php should not be externally readable, unless the user has not properly configured file permissions. In any event, once initial access was gained, the attackers inserted or modified entries in the wp-option table for the active WordPress database. In subsequent phases (in the case of the Grepad family), the attackers modified php.ini / .htaccess, uploading malicious scripts which then embed the iframe.

At this point, the attackers have the ability to plant PHP backdoors on the compromised sites, a precedent first set by Gumblar. The presence of the backdoor would allow continued access to the compromised sites, even after file permissions were properly configured or FTP credentials had been changed. And if proper segregation is not done, bleed over to other sites on the same hosted share can still occur.

It's worth noting that the U.S. Bureau of Engraving and Printing (bep.gov and moneyfactory.gov) were compromised in the most recent wave of the Grepad.com attacks. While neither of these sites appear to have been using WordPress, both were hosted by Network Solutions and appear to have been published with Network Solutions Website Builder.