WordPress as a platform is fantastic, and usually its a fairly secure. However, plugins that you use might be a different story. Some plugins are updated on weekly basis, and then there are those that are updated monthly, annually or sometimes are never updated again.
One of our clients runs a very active and informational website. The client had refused to do any updates because they were afraid that it might “break” something on their website. Which is totally understandable. For those of you who do updates on daily basis, sometimes its not a smooth progression and you spend more time troubleshooting the issue than anything else.
Client was hosted on a shared web server, and our firewall had alerted us that the website had been sending a large amount of SPAM. Approximately 200-300 emails per minute. We had immediately disabled the website and had ran a scan on the entire server.
As it turns out their website had been compromised via plugin and had injected itself authorizing use of the server’s mail resources. Upon further investigation the server had not been compromised just the clients website.
Here’s the complete log of what had been infected:
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/ID3/header.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/images/smilies/options.php.suspected
{HEX}php.base64.v23au.184 : /home/user/web/website.com/public_htmlx/wp-includes/images/wlw/object.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/themes/twentyfourteen/inc/inc.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/uploads/2015/ajax.php.suspected
{HEX}php.cmdshell.unclassed.358 : /home/user/web/website.com/public_htmlx/wp-content/uploads/phpini.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/tinymce-advanced/css/test.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/js/javascript.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/css/test.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/display-widgets/session.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/inc/core/general.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/assets/images/player/view.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory-plugin/vendors/anet_php_sdk/lib/ssl/include.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory/business-directory-plugin/vendors/anet_php_sdk/tests/AuthorizeNetDPM_Test.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/model.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/google/service/Google_BatchRequest.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/class-api-libs.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/license-manager/samples/sample-theme-functions.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/stop-auto-update/dump.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/search.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/validation/object.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/css.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_album/module.nextgen_basic_album.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_pagination/view.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/fs/package.module.fs.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/seo-image/javascripts/css.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/gallery/gal1/thumbs/ajax.php.suspected
Unfortunately, the best we could do is restore from previous backup and perform a plugin update along with wordpress.
Moral of the story is, update your plugins people. And if the plugin is old, we wouldn’t recommend using it.
As the title of this blog states, this short blog is about malware reverse engineering. This seems to be a very popular topic among security experts. The idea of reverse engineering of malware is to find out what weakness did the malware expose on your side (network, operating system, etc).
