Over the weekend, chipmaker AMD had a bit of a problem when a group known as R00tbeer targeted their WordPress installation and managed to deface the domain as well as walk away with the SQL file used to manage the content management system (CMS).
The website was replaced with the ‘True Story’ meme image, and a simple message to follow @r00tbeer_ on Twitter. In addition to the defacement, the group published an SQL file with 185 accounts, complete with username, hashed password, and email. One of the accounts looks as if it belongs to Checkib Akrout, who is AMD’s technology group’s general manager.
Prior to attacking AMD, R00tbeer also targeted an advertising scam forum, The Bot Net. Nothing of value was lost from the wannabe scammers there, mostly teenagers with parental controlled PayPal accounts, who had to change passwords after the VBulletin installation used on TBN was exploited. It too was out of date.
As of Monday morning, AMD had replaced the page at blogs.amd.com with a maintenance message, telling visitors that the domain will be “back online as soon as possible.”
The website had an outdated version of WordPress installed, version 3.0, as well as a number of additional plug-ins. Any one of them could have been the attack vector, but it is likely that R00tbeer simply targeted the main installation.
For example, in 2010 WordPress 3.0 was vulnerable to an SQL Injection vulnerability that allows an attacker to disclose information stored in the database by targeting author permissions. Later the same year, version 3.0.4 was released, addressing Cross-Site Scripting (XSS) vulnerabilities in the KSES HTML sanitation library.
At the time WordPress urged all users to update, as the XSS issue impacted “all versions of WordPress prior to 3.0.4.”
AMD has made no official statement, other than the promise to return the site soon.