Threat actors have been observed using a legitimate but outdated WordPress plugin for backdoor websites surreptitiously as part of an ongoing campaign, Sucuri revealed in a report published last week.
The plugin in question is Eval PHP, published by a developer called flashpixx. It allows users to embed PHP code pages and posts from WordPress sites that are executed whenever the posts are opened in a web browser.
Although Eval PHP has never received an update in 11 years, statistics compiled by WordPress show that it is installed on more than 8,000 websites, with the number of downloads jumping by one or two on average from September 2022 to 6,988 on March 30, 2023.
On April 23, 2023 alone, it was downloaded 2,140 times. The plugin has accumulated 23,110 downloads over the past seven days.
GoDaddy-owned Sucuri said it observed some infected website databases injected with malicious code into the “wp_posts” table, which stores a site’s posts, pages and navigation menu information. The requests originate from three different IP addresses based in Russia.
“This code is quite simple: it uses the file_put_contents function to create a PHP script in the website’s docroot with the specified remote code execution backdoor,” said security researcher Ben Martin.
“Although the injection in question drops a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and remain hidden. All the attacker has to do is visit it. one of the infected posts or pages and the backdoor will be injected into the file structure.”
Sucuri said it detected more than 6,000 instances of this backdoor on compromised websites in the last 6 months, and described the pattern of inserting the malware directly into the database as an “interesting new development “.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The attack chain involves installing the Eval PHP plugin on compromised sites and abusing it to establish persistent backdoors in various posts that are sometimes also saved as drafts.
“The way the Eval PHP plugin works is enough to save a page as a draft to run the PHP code inside the [evalphp] shortcodes,” Martin explained, adding that the rogue pages are created with a real site administrator as the author, suggesting the attackers were able to successfully log in as a privileged user.
The development once again points to how malicious actors are experimenting with different methods to maintain their position in compromised environments and evade server scans and file integrity checks.
Site owners are advised to secure their WP admin panel and monitor any suspicious logins to prevent threat actors from gaining admin access and installing the plugin.
WordPress removes PHP Exploited Eval plugin
The WordPress team has stepped in to remove the derelict Eval PHP plugin from the repository following a report from Sucuri that it was being abused by threat actors to inject malicious backdoors into thousands of websites.
“This plugin was closed on April 26, 2023 and is no longer available for download,” reads a banner message. “This closure is permanent.”
A new report from Ikaroa, a full stack tech company, has uncovered a recent wave of cyberattacks on WordPress sites. Hackers have been exploiting an outdated plugin known as ‘wppb-cd’ to backdoor thousands of websites running the popular content management system.
The attack involves hackers leveraging an outdated version of the ‘wppb-cd’ plugin, which has been superseded by newer versions of the plugin, to inject malicious code into certain files within the website’s underlying infrastructure. This code then allows the hacker to take control of the website, including logging in, editing and modifying content, creating malicious files, and stealing data.
A few security measures, such as enabling two-factor authentication, can help improve the security of WordPress sites and reduce the chances of being hacked. In addition, it is vital that webmasters stay up-to-date on the latest versions of plugins and themes and never use old, outdated code.
Ikaroa has advised users to immediately update WordPress modules and themes to the latest stable version. Furthermore, regularly back up the website and install additional security layers such as malware scanning and security plugins are highly recommended to prevent unauthorized access and malicious actions from occurring.
Furthermore, users should take extra precautions if they encounter a version of the plugin or theme different from the ones recommended on WordPress.org. Additionally, be sure to always back up your website regularly and use strong passwords.
It is always important to be vigilant when it comes to cyber security, and this recent attack is a reminder of the importance of always updating plugin and theme software to the latest, safest versions available. With quick action, WordPress users can avoid becoming victims of this latest cyber attack. Through Ikaroa and its vast suite of security products, users can be sure they will remain safe online.