Antivirus supplier Dr. Web has discovered malware targeting WordPress sites running on Linux. The malware consists of two variants and can carry out attacks using outdated plugins. The first variant, Linux.BackDoor.WordPressExploit.1, targets both 32-bit and 64-bit versions of the open-source operating system. Linux.BackDoor.WordPressExploit.1 is a backdoor controlled remotely by malicious parties. At their command, it can perform the following actions:
- Attack a specific web page (website);
- Switch to standby mode;
- Shuts itself off;
- Pause logging his actions.
“If sites use outdated versions of such plugins that are missing critical fixes, the targeted web pages are injected with malicious JavaScripts,” Russian security vendor Doctor Web said in a report published last week. “As a result, when users click on part of an attacked page, they are redirected to other sites.” The attacks list known vulnerabilities in 19 different plugins and themes installed on a WordPress site. It is also capable of injecting JavaScript code retrieved from a remote server to redirect site visitors to an arbitrary attacker’s website. Doctor Web says it has discovered a second version of the backdoor, which uses a new command-and-control (C2) domain, as well as an updated flaw list that includes 11 additional plugins, bringing the total to 30. The new list of plugins and themes are below – Please note: no versions are listed. So always make sure that you use the latest version of the plugins and themes.
- WP Live Chat Support
- Yuzo Related Posts
- Yellow Pencil Visual CSS Style Editor
- EasyWP SMTP
- WP GDPR Compliance
- Newspaper (CVE-2016-10972)
- Thim Core
- Smart Google Code Inserter (discontinued as of January 28, 2022)
- Total Donations
- Post Custom Templates Lite
- WP Quick Booking Manager
- Live Chat with Messenger Customer Chat by Zotabox
- Blog Designer
- WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- ND Shortcodes
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
- Brizy
- FV Flowplayer Video Player
- WooCommerce
- Coming Soon Page & Maintenance Mode
- Onetone
- Simple Fields
- Delucks SEO
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher, and
- Rich Reviews
Both variants are said to include an as-yet-implemented method to brute-force WordPress administrator accounts, although it is unclear whether this is a remnant from an earlier version or a feature that has yet to see the light of day. “If such a feature is implemented in newer versions of the backdoor, cybercriminals will be able to successfully attack even some of those websites that use current plugin versions with patched vulnerabilities,” the company said. WordPress users are advised to continue to perform proper maintenance, core updates including third-party plugins and of course themes, and to use strong and unique logins and passwords to secure accounts. The revelation comes just weeks after Fortinet FortiGuard Labs disclosed another botnet called GoTrim, which is designed to brute-force self-hosted websites running the WordPress content management system (CMS) and take control of the targeted systems. Two months ago, Sucuri found that over 15,000 WordPress sites had been compromised as part of a malicious campaign to redirect visitors to fake QA portals. The number of active infections currently stands at 9,314. Sources: Read the English article by Doctor Web hereRead more about Linux.BackDoor.WordPressExploit.1 here Read more about Linux.BackDoor.WordPressExploit.2 here
