Dangerous Keylogger Found – Infecting over 2000 WordPress sites

WordPress is one of the most popular open source blogging platform, with global and vibrant user, developer, and support communities. Though it can be compared to TypePad, Moveable Type, Google’s Blogger(Blogspot), and the Apache Roller project as a user-generated content workhorse, WordPress distinguishes itself with a broad array of hosting options, functional extensions (plugins), and aesthetic designs and elements (themes).

Unfortunately, with success and popularity you also become a target. WordPress is a successful and popular platform for web sites and with that comes the attention of the hackers and bad guys. It is simple economics that bad guys looking to build a network of sites will look to the most widespread applications and attack their vulnerabilities.

One of the vulnerabilities with WordPress is that because of the low barrier of entry and ease of use, users who are generally not too tech savvy or security minded can utilize WordPress without recognizing the full security ramifications involved.

One of the security researcher from Sucuri found that a malicious campaign that infects thousands of websites especially WordPress only with a malicious script contains in-browser cryptocurrency miner from CoinHive and a hidden dangerous keylogger.

Coinhive is a platform who offers a JavaScript miner that you can embed in your website to utilise CPUs Power in an effort to mine Monero Cryptocurrency.

Read More: WordPress Security Scanner

Sucuri researchers found a similar campaign last month (Dec 2017) which infects around more than 5000 WordPress websites with the malware called cloudflare[dot]solutions.

Cloudflare[.]solutions is in no way related from Cloudflare.

While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection“, wrote Denis Sinegubko, a senior malware researcher at Sucuri who authored research blog this week.

The malware which contains CoinHive miner hidden with the fake Google Analytics Code and the domain cloudflare[dot]solutions which was active since April 2017 but now that domain was taken down.

Read More: A comprehensive quick guide to WordPress Security.

This was actually not the end of this malware campaign, because by Dec 9 2018, researchers found more similar domains with same malware: cdjs[dot]online , cdns[dot]ws and msdns[dot]online.

Attackers target both the admin login page and the site’s public facing frontend because the malware is obfuscated to include JavaScript code, such as “googleanalytics.js“, that load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.

If your website has already been compromised with this CoinHive miner infection, you will require to remove the malicious code from theme’s functions.php and scan wp_posts table for any possible injection.

– Don’t forget to change your all passwords (Cpanel/WHM/Wp-admin/FTP etc) and update all server software including third-party themes and plugins just to be on the safer side.

Around 38% WordPress sites are run by non-technical members who have almost zero security measures in place and they actually even don’t know that how to update WordPress, their themes and plugins results this kind of massive breach and hack.

WordPress security can be strengthened by setting secret keys in your wp-config.php file. A secret key is a hashing salt, which makes your site harder to hack by adding random elements (the salt) to the password you set. These keys aren’t required for WordPress to function, but they add an extra layer of security on your web site.

One of the most important steps for installing a plugin is making sure it is secure from hacks and exploits. If a plugin contains security holes it opens up the entire WordPress web site for malicious hackers to wreak havoc. WordPress features some built-in security tools that you can utilize to make sure your plugins are as secure as can be.

The .htaccess file can also be used for security purposes. Using .htaccess allows you to restrict access to your web site by IP address, essentially locking it down from anonymous visitors. To lock down your web site by IP addresses, add the following code to your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny, allow
deny from all
#IP address to whitelist
allow from xxx.xxx.xxx.xxx

Replace xxx.xxx.xxx.xxx with any IP address that you want to grant access to your web site. You can have multiple “allow from” lines so add as many IP addresses as you need. This will only allow access to your web site if you are using an IP address defined here.

Best thing about WordPress – 

If any security vulnerability is discovered a patch is typically released very quickly by team WordPress. If you can’t upgrade because you have modified Core files, you are opening up your web site to these security vulnerabilities being exploited and your web site getting hacked.

Another great feature about WordPress is that you can easily release updates for your plugins/themes in the wp-content Directory. When a new plugin/theme version is released, a notice is displayed on any WordPress site that currently has that plugin/theme uploaded to its server, whether or not it is activated.

The user can use the automatic upgrade process to easily upgrade the plugin/theme to the latest version. This is especially important if there are security patches in your plugin/theme to help keep WordPress secure.

Also take this opportunity to secure your PHP execution container and help it run faster. Here are some simple settings. There probably are more depending on your setup, which you can likely turn off to improve security and performance:

;Hide PHP for security
expose_php = Off
;Turn off for performance
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

As with many security mechanisms, the bad guys are continually getting smarter and more automated, and testing the edge protection and response of the systems they want to infiltrate.

Updates often fix security concerns before there are exploits in the wild. In fact, many of the recent exploits have been targeting outdated versions of WordPress while consistently updated sites are immune.

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts