back to article Wordpress munching contagion turns Linux servers into spam bots

The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies. Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace. Mumblehard is made up of two different components. The first component is a generic …

  1. dogged

    Wordpress.

    The Internet equivalent of hiring Crapita.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wordpress.

      Makes a change from Linux servers more usual role in being used as Botnet C&C hosts...

      1. Graham Dawson Silver badge

        Re: Wordpress.

        That's a funny way of spelling "Windows"

        1. Robert Helpmann??
          Childcatcher

          Re: Wordpress.

          WordPress : Servers :: Acrobat : Workstations

          Just keep patching, just keep patching...

          1. P. Lee

            Re: Wordpress.

            >Just keep patching, just keep patching...

            Patching is good. You could block outbound connections from your webservers.

            Wordpress may be bad, but your firewall and email admins get no prizes either.

            If you design your perimeter properly, even if you have a problem, it isn't shared with the rest of the world.

            1. Gerhard Mack

              Re: Wordpress.

              Blocking outgoing SMTP breaks signup confirmations, password recovery links, and comment notifications, Blocking outgoing connections in general breaks any use of external content such as news feeds and blog updates.

    2. ecofeco Silver badge

      Re: Wordpress.

      Thanks dogged. Glad to see it's not just me who thinks Wordpress is the prefect example of how to set the bar for making something more complicated that it ought to be.

  2. Ragarath
    Joke

    SEE! Linux is EVIL after all!

    Don't you dare try and pin it on that poor innocent program WordPress!

  3. Jim 59

    For Pete's sake, editors. The linked article does not mention Joomla or Wordpress at all, and the white paper mentions them only once in 23 pages, in a sentence speculating that the infection vector *may* be associated with either platform.

    So the Register prints a klaxon headline beginning with "Wordpress..."

    Seriously thinking of cancelling my subscription here.

    1. Destroy All Monsters Silver badge

      El Reg is the checkout rag of IT.

    2. Anonymous Coward
      Anonymous Coward

      Seriously thinking of cancelling my subscription here.

      I saw what you did there :).

      In all seriousness, though - there is nothing about WordPress and Joomla that makes them different from any other code you run on a platform - you have to stay on top of it, patch soonest and make teh effort of acting on what you see in the logs.

      I review especially the 404 log carefully because it shows me trends. I can see loads of URLs coming in seeking uncontrolled access to the file system (by trying if they can read a readme.txt of common plugins) and generally trying to rattle the door by running through a list of vulnerable plugins. The latter get banned at Apache level - WP won't even see them afterwards as they go straight into .htaccess black holes, but I also look where they come from. When they come from places you can reach (US or anywhere in Europe) I look up who manages the IP range and ping the abuse email address with the log (except GoDaddy, of course, because abuse@ just goes to /dev/null as far as I can see, use csirt@ instead). Quite often, they indeed take action.

      Oh, and it helps to use the most common measure to secure systems of any description: don't install what you don't need. It isn't hard.

    3. adnim

      @ Jim 59

      And more often than not it is poorly coded plug ins that are the infection vector, not Wordpress itself.

  4. Crazy Operations Guy

    Targeting platforms not OSes

    I'm assuming that this exploit is targeting PHP rather than Linux or BSD. I think this is the future of server-based malware; easier to just write an exploit for a badly-made plug-in and leverage a powerful language rather than trying to install binaries on the machine layer. With the wide-range of plug-ins available for PHP, its not surprising to see it exploited in this way, since it can remain undetected for some as it isn't creating any suspicious processes and can hide in the massive tangle of PHP files things like WordPress are made of.

    *The same thing can be said of any other similar-enough language: ASP, .net, node.js, Ruby-on-Rails, Python, etc.

    1. Anon5000

      Re: Targeting platforms not OSes

      Someone should make a Wordpress plugin vulnerability scanner and call it WPScan...

    2. Anonymous Coward
      Anonymous Coward

      Re: Targeting platforms not OSes

      Agreed, but you're too kind to PHP. The language is an unstructured mess of nifty features grafted on from real languages, wholly unfit for its sole purpose. Those other languages are merely crappy. Frontend JavaScript also plays a role here: botnets are exploiting XSS to gain admin access on WP sites.

      WordPress is also egregious; I relented a few years ago and started working with it, thinking my opinion of it was too harsh... nope, it's far worse than I imagined. Why does everyone use it? It's a cult of noobs, feeding the hype cycle until they awaken, too late, to the monstrous reality of it...

  5. Anonymous Coward
    Anonymous Coward

    I'm alright jack

    Not running M$ Windoze here, we're all Linux and Mac so 100% secure.

    1. Anon5000
      Coat

      Re: I'm alright jack

      The sarcasm is extremely misplaced in relation to this article. Both Windows and Linux servers would be vulnerable to the same Wordpress and/or Plugin vulnerabilities if this was the infection method. The only reason Linux is mentioned here is that the spam program is coded in Perl and hidden in an ELF binary, which would not run on a Windows box, thus the hackers only install it on pwned Linux boxen.

      Can't fix stupid.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021