Lock up your WordPress – a recent malvertising campaign targeting vulnerable plugins is now trying to backdoor sites by creating rogue admin accounts.
In July when web firewall company WordFence (aka Defiant) first noticed the campaign, it was attempting to hijack sites to push popup ads, tech support scams and malicious Android apps.
Plugins targeted included vulnerable versions of Coming Soon Page & Maintenance Mode, which followed attacks in April and May on the Yellow Pencil Visual CSS Style Editor and Blog Designer.
Six weeks on, perhaps encouraged by the number of vulnerable sites they found, the attackers have upgraded their attacks to take complete control of sites vulnerable to their attacks.
A new vulnerable plugin, Bold Page Builder, has also been added to the exploitation list, which attackers reportedly started targeting on 22 August.
Rogue one
Anyone with a vulnerable plugin is now at risk of having their site backdoored by a rogue user account with administrator privileges. As before, the attackers attempt to infect vulnerable sites with malicious JavaScript code that’s run whenever a user visits an affected page.
The moment of weakness occurs if the user:
- Has previously visited an infected page
- Is a WordPress administrator on the infected site
- Is currently logged in to the site
If these conditions are met the code silently abuses the logged-in administrator’s ability to create new users, issuing an AJAX request to create a rogue administrator account named wpservices.
What could the attackers do with the access this rogue account gives them?
Pretty much anything they want.
What to do
The takeaway from this is that WordPress plugins represent a major security headache for site owners and need to be updated quickly, as soon as new software becomes available.
WordPress is such a popular platform that all WordPress site operators should assume that their sites are the subject of constant scans, probes and automated hacking attempts.
In recent months, we’ve reported on a raft of plugins being targeted by hackers, including Easy WP SMTP, Abandoned Cart for WooCommerce, and WP GDPR Compliance.
It’s a trend that shows no sign of ebbing.
Campaigns like this work by exploiting known vulnerabilities in WordPress plugins and, as ever, prevention is better than cure. So, check regularly to ensure your plugins are up to date and make sure that your WordPress core software is set up to update itself automatically with security fixes.
You might want to read Naked Security’s guide on how to avoid being one of the “73%” of WordPress sites vulnerable to attack too.
If you’re concerned that you might have been a victim of this campaign, WordFence have published a list of vulnerable plugins and Indicators of Compromise (IOCs).
As already noted, the giveaways for the latest attack are currently the user wpservices using the email wpservices@yandex.com. The attackers can change this (and the list of plugins they’re targeting) at their leisure, of course.
Recovering a compromised site is beyond the scope of this article but if you find yourself needing to do it you’ll wish you had full, regular, off-site backups. So, if you don’t have that set up for your site already, do it now, before you need it!
ausetkmt2
thanks for the great word up we all needed that list of bad plugins. I’m using woocommerce so I’m fighting the battle just like every other e-commerce owner on WordPress. Folks Do Your Updates and keep your Database Strong and you should be just fine. Thanks again for the word up
Heinrich Christiansen
These attacks I have noticed on my home server for quite some time now – If you look at it you can see most of the tricks they are attempting. I am opposed so many other site holder am very open about the attempts. I have noticed it all back from some time in may of this year. I publish the hacking attempts on my site even what I think may be DoS attempts, but I’m not exactly sure. The attackers are targetting servers like IIS, Apache and the plugins Joomla, WordPress, and more, hitting Database systems. When I have been attacked like this I have looked up the attacker IP’s and if they contain a Webserver I have sent a message like this for their servere logs:
###.###.###.###/Hello_Hacker_[redacted]_is_really_not_that_easy_to_HACK_-_Is_it/
Of couerse that agitated them to try harder on my site but as much as they tried it they always are losing the game.
Personally I’m not too fond of the WordPress as I’m not in complete control and I did once publish a Microsoft hack in my WordPress site and Microsoft had my posts taken off about my experience with the hacker who was actually working for Microsoft. All that was before I got my domain [redacted].
Mark Sitkowski
@Heinrich: The IP address from which the hack attempt came does not necessarily belong to the hacker. The botnet TurkBot infects sites worldwide with scripts which (usually) attempt to hack CPanel/WHM, WordPress Akismet, Joomla Open Flash and anything else that runs PHP.. You should also report the incident to the CERT of the country from which the hack came.
Heinrich Christiansen
I know that the IP does not necessarily belong to the hackers, but it is a way to let them know, and the site owners that they are busted either as hackers or as hacked site in need of a serious security update. It also gives me a response in the form of more attacks from other IP’s as I block the current attacker IP’s meaning at some point I will have catalogued the lot. In regards to the reporting I usually do that, but it seems to appear that a huge load of IP’s are attackers – IP’s according to Whois lookups, belonging to major companies like Amazon, Google, Hetzner and Microsoft, whereof Amazon and Hetzner seems to have the worst cases of attackers. Wether it is Hacked sites or Hacker sites which usually are newly setup, but of course without proper setups. Hackers should if any know what they should mind to setup but frequently they don’t. At some point I encountered a full directory list of folders of Phishing sites. Reported of course by me as I discover it. Apart from reporting to abuse teams I also report to [an IP abuse site].
So yes I am doing my bit.
Baz
Hi guys, I am helping out with friend’s WordPress site, it seems some sort of malware has access and publishing scam/spam pages inside the WordPress site. In fact Google has indexed 7,000+ pages on the site which has less than 20 actual pages. And through google indexed pages I can see bunch of bitcoin related scam articles published directly in the site. But when you go to WordPress CMS and look in “Pages” section, you don’t see those. How can I 1) bulk delete those spam pages, 2) how to prevent this from happening further without knowing which of the installed plugins is guilty? Does simply changing CMS passwords help? Has anyone encountered similar problem?
Mark Stockley
It sounds like somebody has uploaded a bunch of files to the web server that WordPress is running under, in which case WordPress isn’t involved in serving these scam pages, and can’t be used to view, edit or delete them.
The web hosting company will be able to provide access to the website’s filesystem (the “hard drive” the website software is installed on) which is typically accessible via FTP or SSH.
Log in via FTP/SSH and you should be able to see, and delete the errant files. Before you delete anything, change your FTP and WordPress passwords, and make sure the WordPress plugins, themes and core software is all up to date, to prevent reinfection.
You can either delete the files you know to be bad, working carefully around the files that actually form part of WordPress, or you can delete *everything* and then download and reinstall WordPress. In either case, backup the things you care about first: at a minimum that’s the WordPress databases, the contents of the WordPress uploads folder and the wp-config.php configuration file.
I hope that helps.
Tim
Hello,
I recently got an alert via google Search Console of malware found in a folder in my Cpanel wp hosting root dir, however my word press site was not affected by it. The folder was called: /update/news/uploader.php. I immediately logged in to my hosting Cpanel and deleted the folder and all its contents and emptied the trash, however I found it back again today.
I contacted my host who provided me with a list of IP addresses that were recently logged in to my hosting, only 3 entries were mine. I updated wp and plugins, everything to latest version, changed all passwords. This is very disturbing as I have had 2 factor authentication on my hosting login since I got it. It seems some kind of exe file was in that folder but I;m not sure it was doing anything yet, could be it is waiting to be triggered in an attack using a botnet of which they used my account to store the file.
After creating a security alert support ticket, my hosting company says they cannot identify the IP’s country of origin and to just change all my passwords asap and monitor my account for any further suspicious activity.
Heinrich
Hi Tim and Baz,
The CMS system itself has been compromized, meaning the regular website files or some of them have been exchanged with modified versions of them, It may be possible that your own 3 files/folders (Tim) is still there, but can you see if they have been modified? I believe it is possible to add commands through other website files if they are following the standard setup method methods, which is exactly what hackers are aiming at. That is what my own server’s log files reveal. Be careful of the POST (Webform) command function and the GET functions (Extra website address data)
Both types are vulnerable on each level, and if the server’s page setup is not modified with security measures the hackers may actually grant themselves access at any time. The compromised CMS system can be set up to hide anything to the web-admins, when using the CMS admin system itself. This is why Baz, that Mark wrote to you about using FTP or SSH file Access. Next time you log into it – check the dates of each file, if they are from about the latest couple of months or they are from the original date of install, if you haven’t changed them yourself.
Happy hunting guys!