Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

An Attack Platform Infecting WordPress Sites

This entry was posted in General Security, WordPress Security on February 2, 2016 by Mark Maunder   71 Replies

At Wordfence we frequently investigate hacked customer websites as part of an ongoing R&D effort to improve our core scanning engine. Examining hacked sites gives us data on how the attackers gained entry and provides us with visibility on the latest attack tools. It also provides us with signatures we can add to our core scanning engine that improves our ability to detect a hack.

During a recent investigation of a very large infection we found a trove of attack tools that all pointed back to a single “meta” script. This script was only two lines long but provided an attacker with a powerful capability. Once it fully installs itself it provides what we are referring to as an “attack platform”.

We reverse engineered the script and revealed that it was downloading it’s full source code from pastebin.com which is a site where anyone can post any text anonymously. The attacker had posted the source on pastebin and the script would download itself from there and execute. The effect of this is that the initial infection is only two lines long.

The attack platform once fully installed provides an attacker with 43 attack tools they can then download, also from pastebin, with a single click. The functionality these tools provide includes:

  • Complete attack shells that let attackers manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
  • An FTP brute force attack tool
  • A Facebook brute force attacker
  • A WordPress brute force attack script
  • Tools to scan for config files or sensitive information
  • Tools to download the entire site or parts thereof
  • The ability to scan for other attackers shells
  • Tools targeting specific CMS’s that let you change their configuration to host your own malicious code

In the case of this infection, the source appears to be a hacking group in Vietnam and one individual within that group.

To provide you with some insight into the powerful capability that this platform provides, we have created a video demonstration where we infect a test virtual machine with the two line meta script and use it to download the tools it provides.

It’s important to note that we did this demonstration inside a clean new virtual machine and included a few tools of our own to prevent further infection and data exfiltration. These include forcing all network traffic from this machine via a proxy so that we can see what is arriving and leaving from this infected test machine.



As you can see, attackers have developed incredibly sophisticated methods and tools to compromise and exploit your website. As a website owner your first priority should be to prevent the attacker from gaining entry to your site. Our WordPress Security Learning Center is a great resource for you to learn more about what actions you should be taking to protect yourself.

Your second priority should be to detect a hack as quickly as possible should one occur. This article on detecting a hack early contains a thorough list of steps you can take to minimize the time from infection to discovery. In addition, we strongly recommend upgrading to Wordfence Premium if you haven’t already. It allows you to schedule scans to run frequently, improving your odds of catching a compromise early.

We hope you have found this demonstration helpful. Please leave your comments below and be sure to share this post with the community.

Did you enjoy this post? Share it!


1.00 (1 vote) Your rating:

71 Comments on "An Attack Platform Infecting WordPress Sites"

Laxmikant Bhumkar February 2, 2016 at 9:43 am • Reply

Another excellent with very curious video evidence. Thanks Mark for this wonderful post.

George February 2, 2016 at 9:50 am • Reply

cool demonstration! thnx!

Tippa Naphtali February 2, 2016 at 9:55 am • Reply

Thank you - this is very helpful and informative.

One of our customers websites was hacked just after Christmas, possibly by the same source, but we managed to regain control fairly quickly with the help of our hosting provider and backup files.

Together with the WordFence plugin we also install the Stop Spammers plugin and have had no further problems since.

Will keep an eye on this!

Many thanks

wfkvme February 2, 2016 at 9:55 am • Reply

You say much about prevention all over this blog, but nothing about cure. Should I discover this infection on one of my sites (I do have WordFence on them all but not Premium on them all) how do I rid the site of it?

Thanks.

Trane Francks February 2, 2016 at 3:23 pm • Reply

"Should I discover this infection on one of my sites (I do have WordFence on them all but not Premium on them all) how do I rid the site of it?"

Unfortunately, there is no bog-simple way of cleaning a site. Once you've determined that a site/account has been hacked, the next step is usually to take the site offline and do a complete forensic analysis of the folder structure within the entire account. It's important to determine the method used to gain access. Literally every file in the account structure should be examined for evidence of tampering. Very often, tampered files will have malicious code injected that is encrypted.

Generally speaking, reinstalling all your CMS core software, themes and plugins from clean, up-to-date sources is a mandatory step. That isn't all there is to it, however, as any backdoor scripts left in a directory can leave access wide open and further exploitation possible. If a backdoor is left on the system, even updating all your software will not prevent further access. As such, it's important to clean everything.

As I often remind our clients at Hardfocus, your job isn't finished once you've installed your CMS. Keeping your software up-to-date is essential. If you're working with standard themes and plugins, you may wish to consider adding lines to your wp-config.php file to enable auto-updating of all your core software, themes and plugins. I do that on my personal sites.

Warmest regards,

trane

wfkvme February 3, 2016 at 6:44 am • Reply

Thanks for putting the time into your extensive response, Trane. I've had to go through those steps many times! Luckily the WordPress community has grown so much that we have extensive plugin offerings in addition to teaching as you provided and prevention via .htaccess, folder rights, etc. server-side. Anyway I don't think my question was clear; I was asking if you are aware of a specific fix for this particular intrusion. Sometimes you guys who make this your business can point to something that it would take me hours to find.

By the way, love your product. I use it on EVERY site I build--at least the free option and preferably the Pro option if the client is smart and not cheap. Thanks for helping us all spare ourselves a ton of work!

Jeff February 2, 2016 at 9:57 am • Reply

Just more really excellent work. If you have wordpress and don't have wordfence, you're kind of on your own. It's gotten to the point that this plugin should be incorporated in the core download of wordpress. I mean, gosh, it comes with "Hello Dolly"???

Fred February 2, 2016 at 10:06 am • Reply

Any tips on how to prevent this attack? Or are you just noting that Wordfence now detects if an infection has occurred?

John_B February 2, 2016 at 10:06 am • Reply

Very interesting presentation. What particular vulnerability is used to get the initial extract script onto the server?

John Teague February 2, 2016 at 10:06 am • Reply

A thorough demonstration of the more broad attack tools hackers are creatimg and deploying today and how quickly those tools can be used to mass infect sites and servers. Thank you Wordfence.

Kirgeves February 2, 2016 at 10:08 am • Reply

Thank you for maybe the most impressive demonstrations I have ever seen!
Does the free version can handle such attack?

Karim February 2, 2016 at 10:08 am • Reply

Thanks for this incredible demo... Very enlightening of how important it is to properly secure and keep our wordpress sites updated and safe using your plugin.

Mike February 2, 2016 at 10:12 am • Reply

Have you identified a common/usual attack vector for injecting the initial meta code?

bux February 2, 2016 at 10:12 am • Reply

Hi
thanks for useful video. I this case, what is better to do? to delete site and database and reinstall all or what?

thank you for your support!
best
Maurizio

Gerhard February 2, 2016 at 10:16 am • Reply

Great insight! Keep up the good work...

Paul Foraker February 2, 2016 at 10:20 am • Reply

Thank you for this. One point you skipped over was a description of how the 2-line file was uploaded to the server in the first place. Is that likely to have been via a plug-in vulnerability?

Al Gates February 2, 2016 at 10:21 am • Reply

Good information for individuals that understand 'code' and can do 'code'. Unfortunately, I understood absolutely nothing about what Mark was talking about. I'm sure I am not the only one that have WordPress sites but do not know the first thing about 'code' and keep our fingers cross that WordPress keeps up to date to how Hackers get into WordPress and develop ways to prevent Hackers from infiltrating WordPress sites. What a constant job this must be. I certainly appreciate their efforts and also Wordfence for bringing this kind of information to the public.Hopefully, WordPress pays attention to this type of information. Good job Wordfence.

Julian February 2, 2016 at 10:28 am • Reply

I recognise some of that, think I've already stripped out some of these from a few client's websites. Keep up the good guys!

Olajide February 2, 2016 at 10:28 am • Reply

Thanks for the update...Every webmaster needs to be aware of this and take necessary actions as soon as possible...The greatest challenge of every Website owner is security threat..
Thanks once again for keeping us updated always wordfence!

Mitch February 2, 2016 at 10:30 am • Reply

Excellent Demo. Will the free Version detect this on our scans?

mark February 2, 2016 at 10:53 am • Reply

Yes it will.

Bonaventura Di Bello February 2, 2016 at 10:35 am • Reply

Hi, may I translate this article and republish it in Italian? I just shared it on my social profiles but of course there's lot of people not speaking English enough to undestand it. Thanks.

mark February 2, 2016 at 10:54 am • Reply

Yes go ahead but please link to the source. Thanks, we appreciate the help getting the message out to the Italian WordPress community.

Bonaventura Di Bello February 2, 2016 at 11:09 am • Reply

Thanks Mark, of course I'll refer to the original source, and link the related post here of course!

Bonaventura Di Bello February 2, 2016 at 11:53 am • Reply

Here it is, for the benefit of non-English-speaking Italian WP users, thanks a lot!

http://www.bonaventuradibello.it/informatica/piattaforma-attacchi-informatici-infettar-siti-wordpress/

Bonaventura Di Bello February 3, 2016 at 6:35 am • Reply

Sorry, the link was wrong, here's the right one, translated for Italian speaking users, feel free to fix it if needed:
<a href="http://www.bonaventuradibello.it/blog/piattaforma-attacchi-informatici-infetta-siti-wordpress/"Una piattaforma di attacchi informatici per infettare i siti WordPress

Eric February 2, 2016 at 10:36 am • Reply

Wow! Scary stuff. Ok so how do we find out if we have been hit by this? Is Wordfence scans looking for this now? Thanks for all your hard work,

mark February 2, 2016 at 10:54 am • Reply

Yes we are.

Bill Fiege February 2, 2016 at 10:45 am • Reply

Good information that makes me sweat. Why? Because I have no idea what the target did in this case that allowed the hackers to invade his site.

Please share how the hackers were able to inject those two lines of code.

mark February 2, 2016 at 10:55 am • Reply

Will try and share more detail about the vector they used to gain entry.

Rick Curran February 3, 2016 at 3:10 am • Reply

Yep, it would be great to know more about how the initial hack was done. I've encountered three sites in the last couple of months that have had this kind of result, in all three cases a user logged straight into the sites using a functional username and password that appears to have been edited outside of WordPress, thankfully I keep a watchful eye on the login notification emails that Wordfence sends out so I noticed these logins fairly quickly. Once the attacker was in they either tried to edit a theme file or upload a plugin via the WP Admin In all three cases.

Would it be possible to discuss the circumstances of these recent hacks to confirm whether you think they are part of the same vulnerability? I've kept copies of some of the files / webshells used by the hackers and also some server logs.

Aaron Toponce February 2, 2016 at 10:45 am • Reply

Please don't link or mention the ad-infested pastebin.com site. You can generically refer to a pastebin, without directing users there.

mark February 2, 2016 at 10:56 am • Reply

Link removed. Excellent suggestion. Thanks.

Beelissa February 2, 2016 at 11:03 am • Reply

I agree with Al Gates about not having a clue about code, at this level at least (I do know some basic HTML and CSS, but not PHP or SQL or whatever kind of code the hackers use).

What I would like to have a better understanding of is this: how does this stuff spread? I can see three possibilities in my limited understanding of how this works. Is it one or more of these and/or something else? 1. The code is injected by hackers into websites individually; 2. The code, once it has infected a website that's on a shared server, can infect other websites on that server; and/or 3. The code, once it has infected a website, travels to the local computers of the site owner or site visitors, and from there can infect other sites that person builds or visits? Am I even close to understanding?

All of you code geeks seem to already understand this, so you don't bother explaining, but it would be really helpful for us code-illiterates to know how this works.

The popularity and ease of use of WP is a blessing and a curse. Blessing that it allows people like Al Gates and I to make websites without knowing how to code, but Curse in that we don't know enough about how to guard against it. I've read about security, and WordFence is a big help, but I still feel like I don't know nearly enough to really protect myself and my clients (one of whom has a site that was built by her previous designer and then hacked after it was left hopelessly out of date).

NetGeek February 3, 2016 at 7:56 am • Reply

I have to agree with Beelissa on most points, but I also understand that my lack of knowledge is my downfall. However, I'd like to ask that someone please help us less technical web designers to understand how to protect ourselves beyond installing the Wordfence plugin...or perhaps even point us in the direction of some help.

Thanks for all the good work you guys do.

Jeff February 2, 2016 at 11:05 am • Reply

Great video. Great content. Thanks for sharing.

Ramnath February 2, 2016 at 11:13 am • Reply

Thanks for the article and spreading awareness. In fact apart from WordFence we are already using a few smart shell scripts for detection and deletion of the meta tag, any suspicious zip file, php files and getting benefited. Many client sites and our sites are saved from possible attacks and subsequent disruption.

Mark Golding February 2, 2016 at 11:17 am • Reply

Sadly I couldn't follow this video. Red text on a black background is impossible to read..

Heather February 2, 2016 at 11:21 am • Reply

Thank you for the work you do. Having cleaned up some hacked WordPress and non-WordPress sites, it's demystifying to see this hacking platform in action. It gives me more authoritative info to translate "down" and explain to clients when I'm recommending security measures and services.

core4 February 2, 2016 at 11:47 am • Reply

hi Guys,
Great video..keep them coming.

Cheers
Dean
core4secured.com

Phil February 2, 2016 at 11:51 am • Reply

HTML sites are looking better by the minute. I'm starting to seriously doubt the value of Wordpress as a basis of any money site. It's depressing that I have to spend significant money to others to protect my sites from script kiddies that have nothing better to do than hack Wordpress sites. Is hacking Wordpress sites a paying proposition? Is it a career that you can retire from with money in your retirement account?

Gilzow February 2, 2016 at 11:53 am • Reply

Perhaps I missed it, but I'm not seeing where you discussed/revealed the initial entry vector for this particular infection. standard vulnerable plugin?

Marcelo February 2, 2016 at 12:01 pm • Reply

Very interesting techniques. But are them using any specific vulnerability to infiltrate the sites? I've seen on some logs that they use to scan looking for a bunch of weak plugins and themes, which give the clue of what components avoid in our sites.

BTW, disclosing those plugins and themes names may be dangerous too, because it may raise awareness within other hack teams, right?

Paul February 2, 2016 at 12:27 pm • Reply

Hi Mark,
Great video, thanks for sharing!
What is the goal or incentive of these attacks other than infecting the site and attempting to spread the infection? Do they send spam to the users in the DB and/or try credentials on other (payment?) sites?

Cheers!

mark February 2, 2016 at 12:32 pm • Reply

We'll try to cover this in a future post. Thanks for the feedback Paul.

Walter February 2, 2016 at 12:41 pm • Reply

Thanks for the update Mark.

Victor February 2, 2016 at 12:57 pm • Reply

WordPress sites seem to be attacked more and more, or at least targeted. Wordfence has made my life easier, thank you for creating such a useful tool!

Jacobus February 2, 2016 at 2:11 pm • Reply

Good you guys are here, but personally I still wonder what drives these people to create all this mess. Is it all that fun to create chaos?

Damien February 2, 2016 at 2:13 pm • Reply

Can you report the pastebins involved and request that they are removed?

mark February 2, 2016 at 2:27 pm • Reply

Do pastebin do that? Remove malicious code? If so we can certainly run it through burp suite again and get that taken care of. Good idea.

Tim Dini February 2, 2016 at 3:40 pm • Reply

This represents another smart reason to use Wordfence! Thank you for protecting my sites with your expertise.

Also, what's up with the images of dragons and such on the tool pages? The creators of these scripts seem to be very young.

Mark Klinefelter February 2, 2016 at 4:37 pm • Reply

Superb work guys! Great gumshoe detective work and the video was an eye opener. Only if these idiots would put their intelligence to the common good instead of evil.

Jamaluddin Rahmat February 2, 2016 at 6:40 pm • Reply

Wow...

Thank for the information and superb video.
Update to WordPress to 4.4.2

Sam February 2, 2016 at 8:55 pm • Reply

How interesting. Thanks for showing us the other side of this game...I'm intrigued by these fake 404 pages!

Vitor February 3, 2016 at 1:47 am • Reply

Great intro video! Hope you continue to treat us with this kind of revealing tips, this was a true eye-opener!
Strangely I feel how a platform like this could actually be usable for better purposes (like troubleshooting a system when you don't have SSH access for example) instead of such wrongful purposes.

Mike A February 3, 2016 at 1:58 am • Reply

Great work and a very interesting (if scary!) watch. I have a question about clearing up infected sites in general - how reliable are file modification dates as a guide to what's been altered? Is there any way hackers can forge these on a linux/apache setup, or is it pretty much locked down in the OS? Thanks.

Laurentiu Nica February 3, 2016 at 1:58 am • Reply

All my website from the server are compromised. The virus injected files like index123.php, malicious code in files, and now change permission from 644 to 600 to all js files from server. I change passwords, reinstall wordpress, themes, plugins... I don't know what to do next... :(

John T February 3, 2016 at 2:07 am • Reply

Great article and video. Extremely informative. I'm extremely interested how the initial 2 line code was injected into the site in the first place. I completely understand how the sequence of events unfolded following this but, could you explain how the ball started rolling on this?

Was it injected into the site via a comment or post? Or was it just something accidentally run by the site admin?

This would be extremely useful info in others preventing these kind of attacks from getting up and running. Thanks

Paul February 3, 2016 at 2:16 pm • Reply

I'll list a few ways this malware gets on your site, but you should read around on this topic.
Pirated plugins - you upload the malware yourself and it calls home.
Outdated plugins - various reasons.
File uploads - if your site allows them, but new versions of WP are secure.
Comments - can inject malicious code. Use Aksimet, authorize comments, or completely turn comments off if you don't need them.
Weak admin password - automated scripts try to login repeatedly. If you use a foreign language, make your password include foreign characters (WP supports them). If english, use atypical characters lie *&$*#() in your password.

Previsha February 3, 2016 at 2:55 am • Reply

Thanks for this interesting article. It was nice to see how hackers get into system and what it looks like. This was very insightful and keeps us aware that everything on our wordpress website needs to be checked.

Ravi Srivastava February 3, 2016 at 3:08 am • Reply

Good demonstration.Valuable information. Thanks a lot

fauzy February 3, 2016 at 7:26 am • Reply

Hello mark..,may I re-publish this article in Indonesian? included a link to the original source

mark February 3, 2016 at 9:24 am • Reply

Yes fauzy, please go ahead. Thanks.

Tamara February 3, 2016 at 7:52 am • Reply

Thank you for this info. I've had very strange activity on my site and think I may have the issue you describe (or something similar). I have Wordfence premium and see the strange activity by checking the logs. I had two of my pages looking like a jumbled mess a while back, but fixed them with a restore from backup files. Apparently, that only fixed them aesthetically.

Where exactly do I look for evidence of something like this and what do you recommend I do when I find it?

Angel Navarro February 3, 2016 at 11:09 am • Reply

Great demonstration on the capabilities and the length that these hackers will go to hack websites. The amount of damage that they can inflict on a website with these tools seems easy and efficient. Also, its always shady characters that are up to these activities, as you can see by the images in their programs.

Paul February 3, 2016 at 2:34 pm • Reply

I think you'd be boasting their ego by calling them hackers. They're script kiddies that learned how to run shells. The tools shown in the video do not require much knowledge and other tools are automated bots running via proxies. Its like owning pack of rats. You don't really need to know their anatomy, you just know that they'll automatically reek havoc if you let them inside someone's house.

As mentioned by someone above, I think it is getting very tiring having to take care of WP sites as if they were toddlers. WFence is a huge help in doing this, but I think WP has come to a point where the functionality is very vast and the developers should brainstorm a way to deter malicious attacks in the core. IMO, they could start by thinking of a way to mask the fact that sites are running WP, so that robots cannot identify them as such and make their search more complicated.
Malicious attacks will not go away. We can only think of ways to fool 'em.

Prakhar Rudra February 5, 2016 at 9:36 am • Reply

Hi,
Awesome post ! I would greatly appreciate any response to the following questions.

1) How good is clamav + sanesecurity scanning at finding these type of attacks ? I was thinking of inotify based monitoring of those directories.
2) What about a periodic process privilege scanner tool which sends scan log as text to an offsite address ?
Idea behind this is, the attacker will have to do some trick to raise / start a privileged process.

Thanks and regards.
rudra

Nadir Latif February 5, 2016 at 10:20 am • Reply

WordPress is a great platform for developing applications but it has security issues. Security issues like the one described in this article have become common and will affect the popularity of WordPress

mark February 5, 2016 at 11:14 am • Reply

All network connected products, be they operating systems, content management systems, web servers, SSL libraries, routers, or tea kettles have security vulnerabilities. If it's more popular you're going to see more vulnerabilities disclosed and fixed. For example, you should take a look at how many security fixes Oracle releases every month - there is a joke in the industry that their core business is switching to security patch release vendor.

WordPress powers 25% of the web so it's by default going to be targeted by 25% of all attacks on websites and at least 25% of all research into web platform vulnerabilities. If you look at it in a vacuum it's easy to think that it must just be 'insecure' and you should rather use something else. But the reality is that the alternative piece of software you're considering has plenty of it's own vulnerabilities. It just doesn't get as much attention. As Linus Torvalds once said: With enough eyes, all bugs are shallow. The problem is that with enough eyes, all shallow bugs are revealed - and with open source software that reveal happens in the public eye.

We use WordPress here on our own site. I'd recommend you stick with it and develop a well thought out security policy with the right tools and procedures to protect yourself against the inevitable attack. Thanks for your comment.

Michael DeMutis February 5, 2016 at 10:49 am • Reply

Not sure if anyone asked but that toolkit is very interesting. Where can I get that to take a look at it for myself? We've recently been infected as well, and now my maldet scanner will not work. They've done something that is blocking it from updating or running a scan. I've even tried recompiling it from source. Looking like the server needs to be rebuilt.

Private April 11, 2016 at 12:46 am • Reply

Within 2 minutes of signing up with Wordpress the other day, I got hit by something coming from San Francisco. It tried to set up a network with me, and came from some automobile shop.

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.