An Attack Platform Infecting WordPress Sites
This entry was posted in General Security, WordPress Security on February 2, 2016 by Mark Maunder 71 Replies
At Wordfence we frequently investigate hacked customer websites as part of an ongoing R&D effort to improve our core scanning engine. Examining hacked sites gives us data on how the attackers gained entry and provides us with visibility on the latest attack tools. It also provides us with signatures we can add to our core scanning engine that improves our ability to detect a hack.
During a recent investigation of a very large infection we found a trove of attack tools that all pointed back to a single “meta” script. This script was only two lines long but provided an attacker with a powerful capability. Once it fully installs itself it provides what we are referring to as an “attack platform”.
We reverse engineered the script and revealed that it was downloading it’s full source code from pastebin.com which is a site where anyone can post any text anonymously. The attacker had posted the source on pastebin and the script would download itself from there and execute. The effect of this is that the initial infection is only two lines long.
The attack platform once fully installed provides an attacker with 43 attack tools they can then download, also from pastebin, with a single click. The functionality these tools provide includes:
- Complete attack shells that let attackers manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
- An FTP brute force attack tool
- A Facebook brute force attacker
- A WordPress brute force attack script
- Tools to scan for config files or sensitive information
- Tools to download the entire site or parts thereof
- The ability to scan for other attackers shells
- Tools targeting specific CMS’s that let you change their configuration to host your own malicious code
In the case of this infection, the source appears to be a hacking group in Vietnam and one individual within that group.
To provide you with some insight into the powerful capability that this platform provides, we have created a video demonstration where we infect a test virtual machine with the two line meta script and use it to download the tools it provides.
It’s important to note that we did this demonstration inside a clean new virtual machine and included a few tools of our own to prevent further infection and data exfiltration. These include forcing all network traffic from this machine via a proxy so that we can see what is arriving and leaving from this infected test machine.
As you can see, attackers have developed incredibly sophisticated methods and tools to compromise and exploit your website. As a website owner your first priority should be to prevent the attacker from gaining entry to your site. Our WordPress Security Learning Center is a great resource for you to learn more about what actions you should be taking to protect yourself.
Your second priority should be to detect a hack as quickly as possible should one occur. This article on detecting a hack early contains a thorough list of steps you can take to minimize the time from infection to discovery. In addition, we strongly recommend upgrading to Wordfence Premium if you haven’t already. It allows you to schedule scans to run frequently, improving your odds of catching a compromise early.
We hope you have found this demonstration helpful. Please leave your comments below and be sure to share this post with the community.