WyseLabs Internet Marketing Forum :: Start Sharing

A Dedicated Room for Testing, Experimenting, Listing & Discussing Internet Marketing Innovation

This forum consists of only people that work for TechWyse and contribute to the WyseLabs community. We invite all of you to read many of the helpful things that we find in our daily lives! That is why we have built this section after all!
Register Now

WordPress users endangered by Trojanized plugins

There are always new and exciting sites online. Think you found one that is helpful? Share it with the group!

Moderator: Moderators

Post a reply

WordPress users endangered by Trojanized plugins

Postby sathish.k » Thu Jun 23, 2011 4:22 am

WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors," explained Matt Mullenweg. "We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory."

If you use the WordPress platform and have updated one of these plugins in the past two days, you are at risk. You have to upgrade them again - WordPress has pushed out their new, safe versions.

Also, if you have an account on WordPress.org, bbPress.org and/or BuddyPress.org, don't be surprised to find a reset password message the next time you login into your account.
Thanks & Regards,
Sathish
sathish.k
 
Posts: 111
Joined: Fri Aug 08, 2008 1:18 am
Top

Re: WordPress users endangered by Trojanized plugins

Postby sathish.k » Wed Jul 06, 2011 1:42 am

WPtouch
wptouch.png
wptouch.png (11.39 KiB) Viewed 4701 times

This backdoor is using some advanced PHP tricks. It’s masked as an if statement. It uses a regex to extract two values from a particular COOKIE value and it uses one of these values as a function and the other one as a parameter to that function.

W3 Total Cache
w3-total-cache.png
w3-total-cache.png (20.91 KiB) Viewed 4702 times


This backdoor is taking advantage of the assert PHP function. Usually, this function is used for debugging to evaluate is a statement is true or not and act accordingly. It’s a little known fact that assert can be used to execute PHP code. This trick is used by the attacker to execute code from the X_FORWARD_FOR header value. Notice that this is not the usual X_FORWARDED_FOR header used when dealing with proxies.

AddThis
addthis.png
addthis.png (3.15 KiB) Viewed 4701 times

Again, the assert trick was used to gain PHP code execution. This code was placed at the end of a very long array initialization and it was pretty hard to spot if you didn’t have word-wrapping enabled.

WP-phpmyadmin

Another plugin was also backdoored lately. The plugin is named WP-phpmyadmin and unfortunately nobody is maintaining this plugin anymore. Therefore the guys from WordPress removed this plugin from their plugin directory. If you are running that plugin, you should delete it immediately.
This time the injected code was not particularly clever, just a basic eval on user input. You can find the code below.
WP-phpmyadmin.png
WP-phpmyadmin.png (2.39 KiB) Viewed 4702 times

In conclusion, we can see that attackers are getting more and more sophisticated while their backdoors are becoming increasingly more stealthy and adept. There have been more security intrusions this year than the past 3 years combined!
Thanks & Regards,
Sathish
sathish.k
 
Posts: 111
Joined: Fri Aug 08, 2008 1:18 am
Top
Post a reply

Return to Online Ideas, Innovation & Cool Sites

Who is online

Users browsing this forum: No registered users and 5 guests

Powered by phpBB® Forum Software © phpBB Group