Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hundreds of WordPress Sites Infected By Recently Discovered Backdoor (arstechnica.com) 32

Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds if not thousands of sites and may have been in active use for years, according to a writeup published last week. Ars Technica reports: The Linux-based malware installs a backdoor that causes infected sites to redirect visitors to malicious sites, researchers from security firm Dr.Web said. It's also able to disable event logging, go into standby mode, and shut itself down. It gets installed by exploiting already-patched vulnerabilities in plugins that website owners use to add functionality like live chat or metrics-reporting to the core WordPress content management system. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Dr.Web researchers wrote. "As a result, when users click on any area of an attacked page, they are redirected to other sites."

Searches such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It's possible that some of those sites have removed the malicious code since the last scan. Still, it provides an indication of the reach of the malware. "If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server," the Dr.Web writeup explained. "With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first -- regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to." The researchers found two versions of the backdoor: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. They said the malware may have been in use for three years.

This discussion has been archived. No new comments can be posted.

Hundreds of WordPress Sites Infected By Recently Discovered Backdoor

Comments Filter:
  • by Anonymous Coward

    "HUNDREDS IF NOT THOUSANDS" is still a drop in a bucket for wordpress.

    But don't let that stop the calls for all of us to RUN AROUND, SCREAM AND SHOUT!!!1!

    Funny how wordpress is built upon an interpreted language with a devoted following of apologists and yet somehow wordpress installations keep on springing leaks. Even if the total numbers of affected sites per plugin are low. "Hundreds if not thousands of sites" took 30 different plugins this time. Methinks the sheer number of plugins available for wordp

    • by xevioso ( 598654 )

      Anyways, back in the real world, the very large WP site I manage doesn't use any of these plugins; we update all of our plugins weekly with every patch, and have no issues.

      • by sjames ( 1099 )

        THIS! It's not like it's hard to keep the plugins up to date.

        • Re: (Score:3, Insightful)

          by Joce640k ( 829181 )

          Assuming your plugins get updated.

          • by sjames ( 1099 )

            It's right in the summary, all of the relevant plugins have updates that fix the vulnerability.

        • by EvilSS ( 557649 )
          It’s sometimes hard to convince the “If it ain’t broke don’t fix it” crowd that their shit is broke and that’s why there are patches. Too many see it as a badge of honor that they never patch anything.
      • It's very easy to keep a site stable with no traffic.

  • by PPH ( 736903 ) on Wednesday January 04, 2023 @11:11PM (#63181214)

    Disable JavaScript.

    • Right, easy! As long as you're literally the *only* user of the web site.

      • by PPH ( 736903 )

        Slashdot seems to work pretty well without JavaScript. And I'm pretty sure I'm not the only user here.

        • What does that have to do with WordPress back doors? Just because YOU disable JavaScript, doesn't mean the back-door abusers will disable JavaScript.

    • by bobby ( 109046 )

      Disable JavaScript.

      That's what I said in my very first post here 25-ish years ago. I still say it, and try to disable javascript as much as possible.

      I don't hate the idea of client-side processing, but imho it's way overused, ends up increasing network traffic, rather than reducing it.

      For sure one great use of javascript is where you want to update something on a page without reloading the entire page.

      Use cases like that are great. But looking at what's being done, (ever look at a "wix" site's source? you might puke), and

  • by Tony Isaac ( 1301187 ) on Thursday January 05, 2023 @12:37AM (#63181280) Homepage

    My .NET website regularly gets hit with requests to URLs like /wp-admin and /wp-content and other WordPress paths. Since it's a .NET site, these always return 404.

    If my little-known site gets hit by these crawlers, it's hard to imagine how many times bigger sites are bombarded.

    • by gweihir ( 88907 )

      It is probably just complete IPv4 scans, so you get the same as everybody. They are not hard to do. I simulated that about 15 years back and came up with something like 10 days. With faster last-mile speeds, the number had gone down. BTW, IPv6 only partially prevents this, it depends on how your IP is chosen from the range you get.

  • I Ditched Wordpress (Score:5, Interesting)

    by DewDude ( 537374 ) on Thursday January 05, 2023 @12:56AM (#63181290) Homepage

    I found a theme that installed a cronjob. I immediately ditched Wordpress. You don't have to worry about malicious plugins with a static site.

    • Comment removed based on user account deletion
      • by DewDude ( 537374 )

        I'm aware of those scripts. This was not one of them. Wordpress cronjobs don't encrypt their contents and call skechy looking servers.

      • by bobby ( 109046 )

        As noted above, I've been admin for a few WordPress sites and I just double-checked, no WordPress cron jobs.

        Do you know any names?

        cron.daily, weekly, monthly, ??

    • Not trying to make excuses, but on my installs, WP wouldn't be able to set a cron because it doesn't have permissions.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Thursday January 05, 2023 @05:42AM (#63181570)

    ... backdoored by some n00by plugin built by someone who shouldn't be let near a keyboard, let alone a public repo.

    We're all gonna die! ...

    There is an epic army of people guarding and maintaining the WP ecosystem that has an installbase that dwarfs anything else. Conservative estimates clock 40+ million active installations of WP. Roughly a third of the web. Entire global package filter networks are built around tracking and shutting down WP exploits - which, btw. are actually quite very rare. Way more rare that some "professional" enterprise behemoth with a meager base of a few thousand installations.

    Bottom line:
    Everyone Chill. These exploits surface and are communicated so quickly precisely because there are a hundred thousand eyes observing.

    • while I agree with your advice to everyone to "chill out" and may have miss read the intent of your post as it is early and I have yet to have any coffee I would like to point out a tiny fact hat you seem to have overlooked

      from the summary;

      They said the malware may have been in use for three years.

      So in this case your claim that

      These exploits surface and are communicated so quickly precisely because there are a hundred thousand eyes observing.

      is in this case wrong as the

      "...epic army of people guarding and maintaining the WP ecosystem ..."

      failed in thier task of guarding the WP ecosystem

  • Literally nice post but can you check my website is that infected or not........

    . [clavick.com]

    https://clavick.com/convention... [clavick.com]

  • by coofercat ( 719737 ) on Thursday January 05, 2023 @08:10AM (#63181754) Homepage Journal

    It feels to me like there's something to be said for splitting WP in half. One half does the rendering, the other half does the admin. That way, plugins also get split in half, and the dangerous half (that's got it butt hanging out in the wild) might well mess up rendering, but can't install a botnet or modify the content itself.

  • WooCommerce is on the list of compromised plugins. WooCommerce is used by millions. And then only 100s of infected websites? That's impressive.
  • How does this Linux malware initially infect the machine?
  • Anything goes for the front page these days. If someone successfully gets a cat video on the front page, we can just call it quits.

  • The more complicated you make something, the easier it is to break ...every single time.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...