In a disturbing new report from cybersecurity researchers at c/side, it has been revealed that a single piece of malicious JavaScript has infiltrated approximately 1,000 WordPress websites, deploying four backdoors that give attackers persistent and dangerous access. These findings highlight serious vulnerabilities in WordPress sites, and website owners must act quickly to safeguard their platforms from growing cybersecurity threats.
This blog post will explore how the JavaScript was delivered, the backdoors that were installed, and how WordPress users can protect their websites from such attacks.
The Malicious JavaScript Attack
The cybersecurity researchers did not go into great detail about how the malicious JavaScript made its way into these WordPress websites, but a few possibilities come to mind. Typically, attacks like these succeed due to weak or compromised passwords, vulnerable plugins, or the use of outdated software. Cybercriminals often target these weaknesses to inject their code into websites undetected.
In this case, the malicious JavaScript was served from the domain cdn.csyndication[dot]com, a site that has been associated with at least 908 compromised websites. It is likely that the attack involved a vulnerability in the WordPress ecosystem, allowing attackers to exploit common entry points and inject this harmful code into the sites.
Once the JavaScript was successfully deployed, it initiated the installation of four backdoors on the affected websites, providing attackers with persistent access to control the servers remotely.
The Four Backdoors Deployed by the Malicious JavaScript
Let’s take a closer look at the four backdoors that were installed on these compromised WordPress websites:
1. Fake Plugin: “Ultra SEO Processor”
The first backdoor is installed through a fake plugin named “Ultra SEO Processor.” At first glance, this might seem like a legitimate SEO plugin, which many website owners might install to improve their site’s search engine rankings. However, behind the scenes, this fake plugin allows attackers to execute remote commands, giving them control over the website’s operations.
The presence of this backdoor can go unnoticed for extended periods, as the plugin appears harmless at first. However, once in place, it can be used to execute arbitrary commands, open doors for further attacks, and even modify the website’s content.
2. Malicious Injection into wp-config.php
The second backdoor involves **malicious JavaScript injected directly into the wp-config.php file. This file is a critical part of the WordPress installation, containing sensitive information such as database credentials. Injecting malicious code into this file allows attackers to execute malicious commands or access important data on the website.
The fact that the wp-config.php file is compromised is especially concerning because this file often contains the configuration settings for the entire WordPress instance, including database access credentials. Once attackers gain control over this file, they can manipulate database queries or make other adjustments to undermine the security of the website.
3. SSH Key Injection for Persistent Access
Another backdoor installed by the JavaScript attack involves the addition of an SSH key. SSH (Secure Shell) is a protocol used to securely access remote servers. By injecting their SSH key, the attackers ensure that they can maintain persistent access to the compromised WordPress site, bypassing the need for passwords.
With SSH key access, attackers can log into the server undetected, enabling them to maintain control over the compromised site even if passwords are changed or other access methods are blocked. This method is particularly dangerous because it allows threat actors to return to the site at will, making the website vulnerable to long-term exploitation.
4. Reverse Shell and Remote Command Execution
The final backdoor opens a reverse shell, which is a method used to remotely control the compromised server. By using a reverse shell, attackers can run commands remotely, access files, and even upload additional malware. This backdoor is particularly concerning because it gives attackers full control over the website and its underlying server infrastructure.
A reverse shell effectively opens a communication channel from the compromised server to the attacker’s machine. This allows the attacker to execute commands, exfiltrate data, or deploy further attacks from an external location, making it extremely difficult for website administrators to trace and shut down the attack.
How WordPress Users Can Protect Themselves
These four backdoors illustrate the variety of ways in which attackers can gain persistent access to WordPress websites. Given that this attack involved just a single piece of malicious JavaScript, it’s clear that websites must be vigilant in their security practices. Here’s how WordPress users can protect themselves:
1. Keep WordPress and Plugins Updated
One of the most effective ways to protect your website is by ensuring that both WordPress and all installed plugins are up to date. Updates often contain security patches that fix vulnerabilities, making it more difficult for attackers to exploit known weaknesses. Additionally, always choose plugins from trusted sources and avoid using outdated or unsupported plugins that could contain vulnerabilities.
2. Use Strong, Unique Passwords
Many attacks succeed due to weak passwords, so make sure to use strong, unique passwords for all accounts associated with your website. This includes your WordPress admin login, FTP, SSH, and database credentials. Use a password manager to generate and store complex passwords, making it harder for attackers to crack them.
3. Install a Web Application Firewall (WAF)
A Web Application Firewall (WAF) can act as a barrier between your website and potential attackers. It helps to filter out malicious traffic, block known attack patterns, and prevent unauthorized access attempts. Many WAF services also offer real-time monitoring, so you can be alerted to suspicious activities on your website.
4. Regular Backups and Site Audits
To ensure that your website can be quickly restored in the event of an attack, regularly back up your WordPress site and its database. Additionally, conduct periodic site audits to look for signs of malicious activity, such as unusual file changes or unfamiliar plugins.
5. Monitor for SSH Key Injections
Regularly check your site’s SSH keys to ensure that no unauthorized keys have been added. If you notice any suspicious keys or unfamiliar access logs, immediately revoke the keys and investigate further.
6. Limit User Permissions
Ensure that only trusted users have admin privileges on your website. Consider using the principle of least privilege by restricting access for users who do not need it. This can limit the damage that can be done if an attacker gains access to a lower-level account.
Conclusion: A Wake-Up Call for Website Security
The discovery of these four backdoors in 1,000 WordPress websites serves as a stark reminder of how critical it is for website owners to remain vigilant about cybersecurity. A single piece of malicious JavaScript can cause severe damage, infiltrating websites and providing attackers with long-term access to sensitive information and server infrastructure.
By following the best practices outlined in this post, WordPress users can secure their sites and minimize the risk of similar attacks. As always, keeping up with the latest security updates, using strong passwords, and regularly monitoring your website’s security are essential steps to staying ahead of malicious actors in today’s digital landscape.
Discover more from Techtales
Subscribe to get the latest posts sent to your email.