Obfuscated Links in the Captcha on Login WordPress Plugin

  • November 24, 2015
Labs Note

Do you remember SweetCAPTCHA that tried to monetize its WordPress plugin injecting unwanted ads into web pages?

Today we’ve found another CAPTCHA plugin with a suspicious code. We cleaned a site and our scanner reported a suspicious obfuscated code inside the Captcha on Login plugin (45,000+ all time installs) files.

captcha-on-login/index.php
captcha-on-login/templates/report.php
captcha-on-login/templates/options.php

The obfuscation had strings like this:

...
${ "GL\x4f\x42\x41LS" }[ "\x64\x78cq\x70c\x6ax\x77\x6f\x63\x72" ]
...

When we see such things, we always try to decode them to figure out whether it’s legitimate or not.

...
public function options_page(){
$meu_link="http://vendacomtrafegogratuito [.]com .br";$meu_link2="hxxp://hotplus [.]net .br/plugin-hotlinks-plus/?clear";include("templates/options.php");
$meu_link="hxxp://vendacomtrafegogratuito [.]com .br";$meu_link2="http://hotplus [.]net .br/ plugin-hotlinks-plus/?clear";
}
...

Looks like that the owner of this plugin, called “Anderson Makiyama” is a Brazilian developer who is the owner of these affiliate marketing websites:
hxxp://hotplus .net .br/ plugin-hotlinks-plus/
hxxp://funildevendasparainiciante .com .br/ onde-divulgar-links-de-afiliados/

This plugin seems to be only showing these links inside the WordPress admin interface on the plugin options and report pages as “Other products of the author” (Outros Produtos do Autor). It’s maybe a bit annoying but doesn’t seem to be a big deal. It’s natural for plugin developers to pitch their other products (even such questionable ones) on the internal plugin pages (not visible to site users).

The only problem is that link injecting code is obfuscated. Not only does it result in warnings produced by security scanners, but this practice is considered unacceptable by the official WordPress Plugin Directory guidelines:

4. No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate....
...Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances.

It’s sad to see how plugins that are supposed to help stop hackers, actually do things that resemble what hackers do. Sometimes you can find such plugins even in the official WordPress plugin directory.

If you are looking for alternative solutions against brute force attacks, you can check our Website Firewall.

Bruno Zanelato is Sucuri's Copywriter who joined the company in 2014. As Eng - System III and working for the SOC team since 2019, his main responsibilities are (firewalls, IDS, IPS, HIDS, WAF, log management, hardening systems, PCI Compliant, IDS/IPS Signatures, Linux/BSD hardening, including developing content to highlight Sucuri's products and services and to educate the public about website security. Bruno's professional experience covers more than 15 years of deploying/managing Web Application Firewall as well as open-source security software. When Bruno isn't drafting blog posts or writing web pages, you might find him online playing MMO RPG games, watching MMA, and having fun with his kids and family during his free time. Connect with him on Linkedin

Related Tags
Related Categories
You May Also Like