An attack from an actor external to WordPress
, according to Jetpack researchers, would lead to the corruption of very many components of websites hosted on the CMS
.
A complete procedure is available to know if your site is affected or not.
Jetpack researchers sound the alarm
This is news that all WordPress users would certainly do without. The service, which hosts almost four out of ten sites worldwide, has suffered a mass attack due to corrupted themes and plugins. The heart of the problem includes a PHP backdoor added to 53 plugins and 40 themes. It allows web hackers to take control of the sites on which these themes and plugins are installed.
In more detail, malicious code embedded in the themes and plugins in question causes that, as soon as one of them is added to a site, a new malicious “initial.php” file is automatically installed within the “ functions.php”. This includes a base64-encoded payload and shelled malicious code named “./wp-includes/vars.php”. This malicious code, which completes the installation of the backdoor, also decodes the payload and integrates it into the “vars.php” file. This has the effect of giving hackers full access to the website.
Offered by AccessPress, the incriminated themes and plugins are used on nearly 360,000 active sites. And if the investigation carried out by Sucuri researchers is still ongoing, access to the websites could notably be put up for sale on the dark web. Still according to Sucuri, the backdoor must be used to allow the redirection of visitors from infected sites to other malicious sites.
How do you know if your site is affected?
Jetpack researchers found as early as September 2021 that all free AccessPress themes and plugins were compromised, with paid ones potentially compromised as well, but due to lack of testing at that time, this was unconfirmed. Removed from the AccessPress catalog on October 15, 2021, the (at the time) compromised plugins have only been available again since January 17. As for the themes, they are still not cleaned up, and therefore not ready to be reused.
To find out if you are concerned with your website, first know that updating, replacing or even deleting compromised plugins and themes within your own site does not eliminate the malicious codes that may be implanted there. . You need to scan your site for compromised code, including the “wp-includes/vars.php” file (lines 146-158) and look for a “wp_is_mobile_fix” function with obfuscated code. If it appears, your site is compromised.
Query the filesystem for “wp_is_mobile_fix” and “wp-theme-connect” functions to check for potential infected files, replace core WordPress files with fresh copies, upgrade affected plugins and change themes, then edit your Passwords. A complete YARA rule and a lot of additional information are also available on the Jetpack site.
On the same subject :
WordPress turns 18! A look back at the CMS saga that propels four out of ten websites
Sources: jet pack
, Bleeping Computer
Do you want to create a website, personally or professionally? The content manager (or CMS) has become essential. There are hundreds of CMS on the market: free, open source, paid, hosted… A real headache to distinguish them. Here is our selection of the best CMS to create your site easily!
Read more
6