Browsed by
Month: December 2017

Malicious Backdoored plugins with More than 89,000 Active Installs found in WordPress Repository

Malicious Backdoored plugins with More than 89,000 Active Installs found in WordPress Repository

WordPress has such a massive ecosystem consist of a number of plugins and themes, threat actors involved in various malicious activities such as hiding the PHP backdoor scripts into the WordPress Security Plugin.

In this incident, the attackers sell existing unsupported plugins to new authors with backdoor code inserted and their goal is to insert SEO spam to the sites with the plugin installed.

Wordfence uncovers the incident and WordPress security team has closed the plugin from the store which means the plugin not available to download from the repository.

 

Malicious WordPress backdoor Plugins

Duplicate Page and Post

The Functionality of the plugin is to create a cloned post or the page, now the Current Owner of the plugin inserted backdoor scripts which makes a request to cloud-wp.org and injects cloaked backlinks to the site.

It has more than 50,000+ Active Installs and the plugins Removed from WordPress.org on December 14, 2017.

No Follow All External Links

Behaviour same as like Duplicate Page and Post this backdoor requests to cloud.wpserve.org and returns content based URLs and the backdoor used in injecting backlinks for SEO.

It has more than 9,000++ Active Installs and the plugins Removed from WordPress.org on December 19, 2017.

WP No External Links

It is same as the previous two backdoors it requests wpconnect.org and returns content based on the URL and the backdoor used in injecting backlinks for SEO.

It has more than 30,000+ Active Installs and the plugins Removed from WordPress.org on December 22, 2017.

Wordfence says Orb Online, paid for both the No Follow External Links and Duplicate Page and Posts plugins and the same threat actor involved in purchasing and injecting backdoors to all three of these plugins with the goal of injecting SEO spam into the thousands of websites running the plugins.

If you have the plugin installed it is highly recommended to uninstall them immediately and scan the website for infection with sucuri and gravity scan.

Thousands of WordPress websites get hacked every day, so securing your blog must be top of mind. Luckily, it’s not all rocket-science as you need to make most of the tweaks only once.

Keylogger Discovered in more than 5,000 WordPress Websites

Keylogger Discovered in more than 5,000 WordPress Websites

New research revealed that more than 5,000 WordPress websites are running along with keylogger and also it’s trying to running crypto-miner in the browser while browsing the infected website.

Recent days WordPress websites displaying unwanted banners at the bottom of the page which appears 15 seconds after browsing the website due to injecting  the Cloudflare[.]solutions Scripts in function.php. that does not belong to Cloudflare.

<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js'></script>

<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js'></script>

It used to load this malicious script every time admin pannel logged in both front end and backend.

In this case, the second  script contains cors.js which is injected in an encoded format and once it decoded we can see that there are a two cdnjs.cloudflare.com URLs with long hexadecimal parameters:

A domain name seems to be original Cloudfare URL but when we come down analyzing the https://cdnjs.cloudflare.com/ajax/libs/linter/linter.js ,it contains linterkey variables.

Further, analyze revealed that linter.js contains a real Payload in hexadecimal numbers after the question mark in the URLs.

According to sucuri, This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field.

This Payload has capable of performing the keylogging activities each and every time admin logging on their WordPress website.

Here using this WordPress Keylogger, both the username and the password were sent to the cloudflare[.]solutions server even before a user clicks on the “Login” button.

The Same portion of this first attack and the second attack took place in April and November month and this is the latest scenario that is capable these stately keylogging futures.

The worst part is if this flow has successfully executed in e-commerce based WordPress website then the hacker can able to access the payment related information.

Mitigation steps for this WordPress Keylogger

  • Performing the Proper Pentesing for WordPress Website – Pentesting Checklist
  • As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.
  • Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack).
  • Don’t forget to check your site for other infections too. Many sites with the Cloudflare.solutions malware also have injected coinhive cryptocurrency miner scripts.