Analysis
Threat actors have been seen using a legitimate but out-of-date WordPress plugin as part of a continuous operation to covertly backdoor websites.
The plugin in question is called Eval PHP and was created by flashpixx. It enables users to add PHP code to WordPress pages and posts, which is subsequently performed each time a post is accessed in a web browser.
Prevention
- Update WordPress software and plugins.
- Remove unused plugins.
- Use a security plugin or web application firewall.
- Limit user access.
- Regularly backup your website.
Detection
- Monitor website logs: Check your website logs regularly and look for any unusual activity, such as a spike in requests to PHP files or unusual user behavior.
- Use a security plugin: Consider installing a security plugin that can help detect malicious activity on your website, such as unauthorized access or file changes.
- Keep an eye on website performance: If your website suddenly becomes slower or experiences unusual spikes in traffic, it could be a sign of a malicious attack.
- Scan your website regularly: Use a malware scanner to check your website for any malicious files or code.
- Monitor user activity: Keep track of user activity on your website and look for any unusual behavior, such as users accessing pages they don't normally visit or making unauthorized changes to your website.
Indicators of Compromise (IOCs)
- Unusual network traffic
- Unusual system behavior
- Suspicious log activity
- Unusual user behavior
- Malware or other malicious files
- Unauthorized changes
- Phishing or social engineering attempts
Vulnerable Version
Plugin Version is 0.1 and last updated was 10 years ago
References
The hacker news