WordPress Sites Backdoored, Leaking Credentials

Blog, Security Share this post


Researchers at Zscaler on Thursday said that the backdoor code implanted on the sites awakens when a user inputs login credentials

“The credentials are encoded and sent to an attacker website in the form of a GET request,” said researchers Sameer Patil and Deepen Desai.

Zscaler said it has identified one command and control domain, conyouse[.]com where the credentials are being sent. The researchers also released a partial list of compromised WordPress sites:

  • shoneekapoor[.]com
  • dwaynefrancis[.]com
  • blissfields[.]co[.]uk
  • avalineholding[.]com
  • attherighttime[.]net
  • bolsaemprego[.]ne
  • capitaltrill[.]com
  • blowdrybar[.]es
  • espada[.]co[.]uk
  • technograte[.]com
  • socalhistory[.]org
  • blissfields[.]co[.]uk
  • glasgowcontemporarychoir[.]com
  • sombornefp[.]co[.]uk
  • reciclaconloscincosentidos[.]com
  • testrmb[.]com
  • digivelum[.]com
  • laflordelys[.]com

“When unsuspecting users attempt to login to one of the compromised WordPress sites, they are served injected JavaScript code as part of the login page,” Patil and Desai wrote. The malicious JavaScript is hosted on the C&C site, the researchers added, and is present in a file called wp.js.

“The form containing the username and password input box has a fixed name as loginform in all WordPress sites,” the researchers said. “The preventDefault event method is used to cancel the submit event for loginform entity and execute the alternate code which is present in this file. The login credential string is serialized and encoded in a Base64 format.”

Zscaler said it has not been able to determine the initial attack vector in this campaign.

“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,” the report said.

That message has extra meaning this week, which is slowly becoming a typical week for WordPress sites. Vulnerabilities were discovered and patched in two ecommerce plugins, eShop and TheCartPress, that put data sent through the two programs at risk.

EShop is a shopping cart plugin that has been downloaded 600,000 times, but has not been updated in two years. Researchers at High Tech Bridge discovered a validation vulnerability in the plugin’s HTTP cookie, putting user-supplied input in jeopardy.

TheCartPress, meanwhile, providers merchants with a shopping cart, catalog, and other ecommerce functionality. It suffered from a cross-site scripting vulnerability that put personal information at risk.

Another XSS issue was also found in Genericons, an icon package used by the Jetpack plugin and TwentyFifteen WordPress theme.

These issues surfaced less than two weeks after a zero-day vulnerability was disclosed and subsequently patched in the WordPress core engine, a rarity for WordPress security issues.

The vulnerability allowed for malicious JavaScript to be stored in comment fields of WordPress sites and executed server-side; the bug was patched in version 4.2.1.


About the Author

Wordpress Developer, Security Consultant, Blogger. Works in Edmonton Alberta Canada.

Leave a Reply

Your email address will not be published. Required fields are marked *