Updated on 2023-01-05: New WordPress backdoor
Dr.Web researchers have found a new exploit tool designed to attack WordPress sites, infect them with a backdoor, and then inject malicious scripts in their codebase. The malware targets vulnerabilities in more than 30 WordPress themes and plugins and exclusively targets Linux-based servers. Read more: Linux backdoor malware infects WordPress-based websites
Updated on 2023-01-02: Linux Malware Exploits Flaws in Multiple WordPress Plug-ins
An as-yet unidentified Linux malware is exploiting known vulnerabilities in dozens of WordPress plug-ins and themes to compromise unpatched systems.
The targeted plugins and themes are the following:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin/Yellow Pencil Visual CSS Style Editor
- Easysmtp/Easy WP SMTP
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (CVE-2016-10972)
- Thim Core
- Smart Google Code Inserter (discontinued as of January 28, 2022)
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
- Live Chat with Messenger Customer Chat by Zotabox
- Brizy
- FV Flowplayer Video Player
- WooCommerce
- Onetone
- Simple Fields
- Delucks SEO
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher, and
- Rich Reviews
Once they have gained a foothold, the attackers inject web pages with malicious JavaScripts. The malware targets both 32-bit and 64-bit Linux systems.
Note
- Irrespective of what malware is targeting which plugins, make sure that you’re running updated plugins on your WordPress Site, that you’ve uninstalled inactive plugins and themes, and implemented MFA for your administrator accounts. There are two exploits, the first: Linux.BackDoor.WordPressExploit.1 has remote C&C, targets 32 bit Linux, but will run on 64 bit variants as well; the second: Linux.BackDoor.WordPressExploit.2 appears to be an updated version, with different C&C servers, and has exploits for additional plugins. The Doctor Web blog lists the plugins each targets and has links to IOCs you can ingest.
Overview
A previously undetected Linux malware was found abusing 30 vulnerabilities in several outdated WordPress plugins and themes to insert malicious JavaScript.
