Thursday, November 6, 2008

Malware-Infested Wordpress Upgrade

No, it's not from the real Wordpress. It's from a fake Wordpress site:

Fraudsters have set up a fake site featuring a backdoored version of the WordPress blogging application as part of a sophisticated malware-based attack.

The fake site offered up what purports to be version 2.6.4 of the open source blogging tool. In reality all but one of the files are identical to the latest pukka (2.6.3) version of WordPress.

The crucial difference comes in the form of a Trojanised version of pluggable.php, according to Sophos virus researcher Paul Baccas. Sophos detects the malicious code as WPHack-A Trojan.

One reason that I like Blogger is that security is handled by Google. I could set up a Wordpress blog, and could probably do a half way decent job of securing it. Me? I'd rather blog*, and leave the security to Google.

If you have your own blog based on Wordpress, make sure you download updates from the real ( site.

* 445 posts since June. I really, really need to get a life.

1 comment:

Anonymous said...

Mine was installed by my host.