so, everyday we wake up there’s someone praying to wake us up urgently. cause patching hacked WordPress is our daily routine. we simply follows wake up > patch WordPress > Eat > Sleep. but since two days there has been lot of queries and concern about this new redirection issues.
my good friend ram gall has already mentioned on wpscan about redux framework vulnerability that could exploit millions of website. later on we investigated these redirects are nothing but common WordPress hacks that has been used by hackers to redirect all the traffic on their website.
we also studied huge log files (more than 10gb) from multiple client which has been hacked by this attack. one thing we found was uncommon. the entering point.
we didn’t find any POST request that leads to 100% similar short of plugins or themes. although few plugins were matched and have similarity in many clients. example: wp-automatic. however few clients has told us its from redux framework. but in-order to execute the mentioned bug, attacker must have at least subscriber privilege to execute hack. in all the cases registration was completely disabled.
so after two continuous day, we finally give up and decide to write this article for those who have been hacked by WordPress Malware redirection. it’s always good to give emergency treatment to patient rather than asking for his/her history of diseases and hereditary consequences. plus giving way to attack is not good idea cause even if its education purpose only, there are people who will use it for dark purposes for sure.
The Perfect Hack Doesn’t exis..
on our investigation, we found attackers have made several ways to keep access of every hacked sites. first, attacker changed your website url from *_options table so that every requests your domain name gets will redirect to the malicious website.
the first redirect is leading towards
karlliscanutma[.]gq
then this redirects to the following sequences.
cancroid[.]buzz > ffzbdi[.]eatoccurwriter[.]top
now if you’ve changed the following urls from *_options table and you think you’re safe from the hacks now then you must read this article carefully. cause attacker has already open many doors to enter in your site again.
WordPress has smooth function like get_option() (more info)
now if your database has column named mynoobcolumn and it has content like “This site is hacked!” the get_option() will execute the content if we called function like following example.
$hackerfunction = get_option(mynoobcolumn);
the $hackerfunction will return “this site is hacked!”
now! attacker has divided his/her malicious code through bots in several installed plugins on victim’s website.
few lines of code would find in one plugin, few lines of code would find in another one. as long as plugin is activated, the malicious function will executed from database via every infected plugins.
we have found few lines of suspicious code (not seemed to be malicious on first investigation) on few plugins.
after that with our custom AI we checked plugin’s original sources with victim’s source and we found few lines were changed by someone and those lines were not even have exec or any base64 encryption. so, all the scanning plugins such as wpscan would failed to recognize the malware.
well played hacker! well played.
How to get away with hacker
we scanned every possible entry points which we added in this article to recover hacked site as for now. we will update this article if we find another evidences.
=> change Home, Siteurl & admin_email from *_options table
here is mysql query if you don’t have database management tool installed.
UPDATE TABLE wp_options SET option_value = "yourdomain" WHERE option_name = "siteurl"
UPDATE TABLE wp_options SET option_value = "yourdomain" WHERE option_name = "home"=> remove any malicious user account that has been added
if your site was redirected before there’s 100% chances of malicious user exists on your wordpress account. sometimes you won’t see in wp-admin panel as it could be hidden from panel but it will be hiding on database itself. you can check by looking in to *_users table.
remove these type of suspicious users from table.
PS: if you find any suspicious user in tables, we strongly advised to look your core-wp, theme and plugin files as there might be backdoor php code exists to create another account with just single GET/POST request.
=> check your .htaccss, index.php & wp-config.php file if any changes
.htaccess(if you’re using apache), wp-config.php & index.php are most important iles to run wordpress or to execute any malicious activity. (not everytime its required though :)) check and match with original repo files.
=> change wp-admin path to some random url (although it could be easily revealed :P)
changing wp-admin folder is kind of good practice but it won’t protect your website completely as mostly attacks were executed by bots and scripts. and it does not require to login form wp-admin. but still its good practice specially when you’ve been hacked.
=> delete unused and unnecessary plugins & themes (this is compulsory) if possible, reinstall it again for better safety. this will break the chain.
delete all of your deactivated plugins and those plugins that you rarely used and it just living inside your directory for ages. those plugins won’t get updated sometimes and later on stores malwares and Trojans. sometimes, its good to remove plugin files completely and then reinstall it again from wordpress repo as it prevents change in code. although update will also helpful but still.. precautions are always better than cure.
Update 11th Sep 2021:
our many friends were using wp-automatic plugin and their sites were redirect. actually file name process_form.php is vulnerable. (we are not going to disclouse the vulnerability). here is the screenshot below of POST request.
this POST request has made the above malicious wordpress admin which was hidden from wp-admin panel.
conclusion:
these are the dark days not denying but we have to protect ourselves from the threats and grow our business as much as possible. threats are imminent but hope must be strong for better future. you can check our services here.
Thanks for reading.
BBC 🎩
Leave a Reply