As per a report published by the security company Sucuri on April 19, malicious attackers have been observed “making use of an unorthodox type of backdoor and reinfection method” that isn’t easy to detect unless one’s website monitoring also includes the database. As per the report, attackers have been exploiting a legitimate yet outdated WordPress plugin to create new backdoors to compromise websites.
The misused plugin, Eval PHP, was created and released by a developer named flashpixx. The plugin enables users to insert PHP code into WordPress websites and posts, which can then be executed whenever a user opens the posts on a browser.
However, while the plugin is legitimate, it hasn’t received any update for over 10 years. Moreover, as per the plugin’s statistics, it has received very few active installations ever since its release, averaging around one or 2 downloads per day or less. However, the number of daily installations rose abruptly since the end of March 2023, reaching between 3000 to 5000 downloads per day. At present, the plugin has over 100,000 active downloads.
This data correlates to Sucuri’s observations. The GoDaddy-owned company mentioned in their report that they noticed that malicious actors had started installing the plugin on compromised websites from March 29, 2023. After installation, the plugin was used to create backdoors.
Per their observations, the databases of the compromised websites were injected with malicious PHP into the “wp_posts” table, where the pages, posts, and navigation menu information is stored. These requests originated from three separate IP addresses, all based in Russia.
The code is quite simple, according to Ben Martin, a security researcher at Sucuri and the author of the report. “It uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor. All the attacker needs to do is to visit one of the infected posts or pages, and the backdoor will be injected into the file structure,” he said.
Speaking about why the attackers have chosen this method of injecting backdoors in infected websites, Martin remarked that “Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden — all they need to do is to visit a “benign” web page.”
Sucuri’s report mentions that the company detected more than 6000 instances of similar backdoors on infected websites in the last 6 months. They referred to this pattern of inserting malicious code directly into the website database as a “new and interesting development.” This impacts severely impacts several companies and law firms, including Charlottesville personal injury lawyers.
The attackers work by first installing the Eval PHP plugin on compromised sites, after which they leverage the plugin to create persistent backdoors across several posts and pages. The code has also been found in posts saved as drafts.
In Martin’s words, “The way the Eval PHP plugin works it’s enough to save a page as a draft in order to execute the PHP code inside the [evalphp] shortcodes.” He also added that the attackers were able to log in successfully to WordPress admin. And in most cases, the malicious pages had a real site administrator as their author.
Such developments emphasize how malicious attackers experiment with different methods for maintaining their grip over compromised websites while evading monitoring software. The report advised website owners to secure their WordPress admin dashboard and monitor suspicious logins to ensure the safety of their sites. However, after the publication of the report, WordPress stepped in and permanently removed the misused plugin from its repository.