WordPress Sites Backdoored, Leaking Credentials

wordpress seo vulnerability

Zscaler has discovered a number of WordPress sites that have been backdoored and sending credentials to a hacker-controlled website.

WordPress site administrators just cannot come up for air.

With a raft of WordPress vulnerabilities—most of them in plugins—to address, now comes word that a number of sites running the content management system have been compromised and are sending credentials via a backdoor to a criminal group.

Researchers at Zscaler on Thursday said that the backdoor code implanted on the sites awakens when a user inputs login credentials

“The credentials are encoded and sent to an attacker website in the form of a GET request,” said researchers Sameer Patil and Deepen Desai.

Zscaler said it has identified one command and control domain, conyouse[.]com where the credentials are being sent. The researchers also released a partial list of compromised WordPress sites:

  • shoneekapoor[.]com
  • dwaynefrancis[.]com
  • blissfields[.]co[.]uk
  • avalineholding[.]com
  • attherighttime[.]net
  • bolsaemprego[.]ne
  • capitaltrill[.]com
  • blowdrybar[.]es
  • espada[.]co[.]uk
  • technograte[.]com
  • socalhistory[.]org
  • blissfields[.]co[.]uk
  • glasgowcontemporarychoir[.]com
  • sombornefp[.]co[.]uk
  • reciclaconloscincosentidos[.]com
  • testrmb[.]com
  • digivelum[.]com
  • laflordelys[.]com

“When unsuspecting users attempt to login to one of the compromised WordPress sites, they are served injected JavaScript code as part of the login page,” Patil and Desai wrote. The malicious JavaScript is hosted on the C&C site, the researchers added, and is present in a file called wp.js.

“The form containing the username and password input box has a fixed name as loginform in all WordPress sites,” the researchers said. “The preventDefault event method is used to cancel the submit event for loginform entity and execute the alternate code which is present in this file. The login credential string is serialized and encoded in a Base64 format.”

Zscaler said it has not been able to determine the initial attack vector in this campaign.

“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,” the report said.

That message has extra meaning this week, which is slowly becoming a typical week for WordPress sites. Vulnerabilities were discovered and patched in two ecommerce plugins, eShop and TheCartPress, that put data sent through the two programs at risk.

EShop is a shopping cart plugin that has been downloaded 600,000 times, but has not been updated in two years. Researchers at High Tech Bridge discovered a validation vulnerability in the plugin’s HTTP cookie, putting user-supplied input in jeopardy.

TheCartPress, meanwhile, providers merchants with a shopping cart, catalog, and other ecommerce functionality. It suffered from a cross-site scripting vulnerability that put personal information at risk.

Another XSS issue was also found in Genericons, an icon package used by the Jetpack plugin and TwentyFifteen WordPress theme.

These issues surfaced less than two weeks after a zero-day vulnerability was disclosed and subsequently patched in the WordPress core engine, a rarity for WordPress security issues.

The vulnerability allowed for malicious JavaScript to be stored in comment fields of WordPress sites and executed server-side; the bug was patched in version 4.2.1.

Suggested articles

Discussion

  • Danesh on

    This is a backdoor installed by CryptoPHP

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.