During the past week, we have received several reports of WordPress exploits from our customer base. We would like to briefly address this matter and provide some additional information that we have gathered as a result of our research. Primarily, this is not related to any specific service that we offer; rather it appears that an application-level vulnerability was abused in a large-scale manner. There appears to be a large number of users on the net facing a similar attack, and you may have also seen reports of this affecting other hosts. To clarify, this is not exploiting any architectural or system vulnerability.
Here’s how you can tell if you are affected. The following is a list of symptoms that we have observed that are related to this exploit:
An external link to a ‘jquery.min.js’ file in the source for your page (’view source’ in your browser).
This has been noticed as coming from several different domains, but most notably on variations of smartenergymodel.com and gaindirectory.org
Any external link to such a file that you are not aware of may be considered as part of this exploit.
The creation of additional WordPress users.
The prominent usernames are some form of ‘johnnyA’, ‘johhnyB’ or ‘amin’. However, any unfamiliar username is deserving of suspicion and should be investigated.
A malicious warning as presented by Google or any other authority when visiting the site in your browser (all recent browsers have this functionality).
Pharmaceutical links appearing in search queries for your domain.
If you’ve noticed any of these symptoms appear on any of your sites, then you may be affected by this issue.
At this time, we have not been able to identify the entry-point, or source, of this exploit, and without completely removing the afflicted files it is possible for this to reappear. As it stands, it is unclear which files are being created/modified, and while WordPress appears to be the prime target, it is possible for other applications to also be affected. We will be continuing our investigation in this matter, but our best suggestion for recovering from this is a fresh installation of WordPress and then hardening your site against future attack attempts.