Posted on April 25, 2023 at 6:43 AM
Hackers use an outdated WordPress plugin to backdoor websites in an ongoing campaign
Hackers have been found to leverage a legitimate WordPress plugin that is already outdated. The hackers used the outdated plugin to backdoor websites in an ongoing hacking campaign. The activity was reported by Sucuri last week.
Hackers use outdated WordPress plugins to backdoor websites
The WordPress plugin reported by the hacker is known as Eval PHP. The plugin was created by a developer known as flashpixx, and it enables a user to key in PHP code pages and posts of WordPress sites. The plugin will be automatically launched each time a post has been opened in the web browser.
The Eval PHP plugin is one of the oldest tools on WordPress. However, the developer has not issued an update for the plugin in 11 years. Despite the lack of updates, the plugin has been installed on over 8,000 websites.
The Eval PHP plugin remains one of the most used plugins by WordPress users. The number of downloads for this tool has rapidly increased from one or two in September last year to 6,988 average downloads on March 30, 2023. On April 23 alone, this plugin was downloaded over 2000 times.
The Eval PHP plugin has been downloaded 23,110 times in the last seven days. The increased usage posed a major threat risk to website owners and users. It also gives the hackers access to a large attack environment that they can use to launch their malicious campaigns.
The recent report by Sucuri noted that some of the website databases were affected because the breach contained malicious code installed in the “wp_posts” table. It stores the posts, pages, and navigation menu information about a site. These requests appear to have come from three different IP addresses in Russia.
The Sucuri report said, “It’s not exactly a new backdoor, however; more conventional PHP backdoors of this variety were found as early as last summer, and over 6,000 instances of this backdoor were cleaned from compromised sites in the last six months alone. However, the backdoor being injected into the database is certainly a new and interesting development.”
Hackers used a simple code
Security researcher Ben Martin at Sucuri said that the code used by the hackers was quite simple. The code deploys the file_put_contents to generate a PHP script within the docroot of the website. This is done using the specified remote code execution backdoor.
The researcher further said the injection would trigger a conventional backdoor within the file structure. Afterward, a combination of a legitimate plugin and a backdoor dropper within a WordPress post will allow the hackers to reinfect this website easily and remain hidden within the system.
The nature of this attack was also not complicated. The hacker only needs to visit one of the infected pages or posts, after which the backdoor will be installed within the file structure. The report by Sucuri noted that more than 6,000 cases of this backdoor being installed on compromised websites over the last six months.
The report described the pattern of installing the malware into the database, saying it was a “new and interesting development.” The attack chain for this exploit entails the hackers installing the Eval PHP plugin with the compromised websites. The attackers later misuse the plugin to create persistent backdoors across different posts. These posts can sometimes be saved as drafts on the WordPress site.
The security researcher further explained how the plugin works and what makes it susceptible to exploits. This plugin works in a manner that is enough to save a website page as a draft to execute the PHP code within the evalphp shortcodes. Martin further noted that the rogue pages were created using a real site administrator as the author. This suggested that the attacker could successfully sign in to the page as a privileged user.
This development illustrates how threat actors always explore new methods to maintain their grasp in compromised environments while avoiding server-side scams. The hackers can also file integrity monitoring, which can be value-additional to the platform.
The owners of these websites have been urged to install the appropriate security measures for the WP Admin dashboard. They should also be on the lookout for suspicious logins to their sites. Maintaining vigilance and being proactive can help avoid falling victim to such exploits. Monitoring the threat activity can prevent hackers from obtaining admin access and installing the plugin.