In the previous article, The Rise of the Backdoored WordPress Plugins, I discussed the ever-growing threat to WordPress security in the form of compromised plugins. As promised, here are the changes made by attackers to the popular plugins, WPtouch, W3 Total Cache and AddThis.
This backdoor is using some advanced PHP tricks. It’s masked as an if statement. It uses a regex to extract two values from a particular COOKIE value and it uses one of these values as a function and the other one as a parameter to that function. Very smart.
W3 Total Cache
This backdoor is taking advantage of the assert PHP function. Usually, this function is used for debugging to evaluate is a statement is true or not and act accordingly. It’s a little known fact that assert can be used to execute PHP code. This trick is used by the attacker to execute code from the X_FORWARD_FOR header value. Notice that this is not the usual X_FORWARDED_FOR header used when dealing with proxies. Clever.
Again, the assert trick was used to gain PHP code execution. This code was placed at the end of a very long array initialization and it was pretty hard to spot if you didn’t have word-wrapping enabled.
Yet Another Attack
Another plugin was also backdoored lately. The plugin is named WP-phpmyadmin and unfortunately nobody is maintaining this plugin anymore. Therefore the guys from WordPress removed this plugin from their plugin directory. If you are running that plugin, you should delete it immediately.
This time the injected code was not particularly clever, just a basic eval on user input. You can find the code below.
In conclusion, we can see that attackers are getting more and more sophisticated while their backdoors are becoming increasingly more stealthy and adept. There have been more security intrusions this year than the past 3 years combined!