Security researchers have identified an alarming pair of backdoors embedded within compromised WordPress sites, strategically designed to forge unauthorized administrator accounts.
This intrusion not only facilitates persistent access for attackers but also complicates remediation efforts, even after web administrators attempt to rectify the situation, as elucidated by Sucuri researchers.
Disguised as Legitimate Files
The first backdoor, dubbed *DebugMaster Pro*, masquerades as a legitimate debugging utility. Its insidious code is crafted to establish covert administrator accounts with preset credentials, simultaneously siphoning sensitive information to a remote command-and-control server.
To elude detection, the plugin cleverly expunges itself from standard WordPress plugin listings. Only through meticulous filtering by web administrators can the creation of these clandestine admin accounts be unveiled.
The second backdoor, *wp-user.php*, appears deceptively simplistic. However, this script is adept at autonomously generating users with administrator rights. Should the site owner attempt to eliminate this rogue account, the backdoor instantaneously resurrects it upon the next script execution.
How the Backdoors Operated
Upon installation, the backdoors proceeded to fabricate new administrator accounts and extract login credentials, including usernames, passwords, and the server’s IP addresses. This sensitive data, encoded in JSON format and obfuscated via base64, is transmitted to an external command-and-control server.
Moreover, the malware injects external scripts into the compromised websites, ensuring they are executed for all visitors, except for administrators or whitelisted IP addresses. This allows attackers to deploy harmful payloads or surveil user interactions.
Conversely, *wp-user.php* guarantees its own persistence by mandating the existence of a specified administrator account. Even if administrators alter the password or attempt deletion, the script will promptly restore the account.
Signs of Compromise
WordPress site proprietors should remain vigilant for the following indicators:
- Unfamiliar plugins or suspicious files such as DebugMaster.php or wp-user.php.
- Unexpected administrator accounts are appearing within the user management interface.
- Deleted accounts re-emerge shortly after their removal.
Recommended Protection
To recuperate from such intrusive compromises, security experts recommend adhering to these guidelines:
- Remove malicious files: Eradicate *DebugMaster* and *wp-user.php* from the server.
- Audit users: Eliminate the hardcoded “help” administrator account along with any other dubious entries.
- Reset credentials: Update all passwords related to WordPress, FTP, hosting, and databases.
- Update software: Ensure WordPress, plugins, and themes are operated on their latest versions to mitigate vulnerabilities.
- Monitor outgoing traffic: Scrutinize server logs for anomalies connected to unknown domains.
Source link: Bitdefender.com.
