EDITS.WS

Author: Fioravante Souza

  • How Malware Can Abuse the .htaccess File

    You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a target for bad actors. In this article, we’ll point out cases and indicators of compromise that affect this file.

    Malicious redirects

    Attackers can setup redirects on the .htaccess files that will redirect visitors based on specific conditions. The final destination can be a website containing other malicious content, spam, phishing campains, or other types of scam.

    Those redirects will rely on the function RewriteRule and will sometimes be preceeded by the conditions set by RewriteCond, just as a default .htaccess file would do. This can make spotting those bad codes hard for users that aren’t familiar with the website’s configuration.

    Examples of this type of malware are (URLs were invalid):

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ hxxp://celeirodoalgarvio[.]com/azzf.html?h=717013 [L,R]
</IfModule>

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^([A-Za-z0-9-]+).txt$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
RewriteRule ^([A-Za-z0-9-]+).htm$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
</IfModule>

    RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "iPhone|android"[NC]
RewriteRule ^(.*)$ hxxp://176[.]102[.]34[.]137/safezone [L,R=302]

    SEO spam

    Very similar to the malicious redirects case, this bad code will target search engines instead of the end user, redirecting their crawling attempts to malicious pages written to boost other websites, usually related to scams.

    In the condition you’ll find it looking for the search engines on referrers and user-agents, as in the following example:

    RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ default.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA] 
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC] 
RewriteCond %{HTTP_REFERER} (bing|google|yahoo|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]

    Allowing bad code

    Sometimes the attacker wants to make sure to protect the malicious file they uploaded to the site from competitors or other people poking around. Or they want to make sure that their malicious file will be opened by overriding the parent directory configuration.

    For those cases a FilesMatch condition will be created and specific files or extensions will be listed, as in the example below:

    <FilesMatch ".(py|exe|php)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php)$">
 Order allow,deny
 Allow from all
</FilesMatch>

    What to do if my site was infected?

    If you find the .htaccess file on your website was compromised the first thing you should do is to restore it to a working version, which will preserve your site’s permalinks and redirects. Please refer again to How to Access and Edit the Default WordPress .htaccess File. And then follow these steps:

    • Change all admin user’s passwords and make sure you’re using multi-factor authentication.
    • Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
    • Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
    • Reinstall all your plugins since they may have been compromised.
    • Review your theme for added or changed files that weren’t added or changed with your consent.
    • Reinstall WordPress core files.

    At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

  • Fake plugin wave affecting WordPress sites

    Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small variations in what the final payload was, but the attack timeline was always the same.

    Attack timeline

    As Joshua initially pointed out and subsequently confirmed by me, the chain starts with the installation of the core-stab plugin, followed by other additional items. The following timeline depicts one of the many compromised sites we reviewed:

    •  Jan 10, 2023 @ 17:29:49.587 UTC â€“ Core stab plugin upload – /wp-admin/update.php?action=upload-plugin
    • Jan 10, 2023 @ 17:29:52.270 – /wp-content/plugins/core-stab/index.php
    • Jan 11, 2023 @ 02:12:50.773 – /wp-admin/theme-install.php?tab=upload
    • Jan 11, 2023 @ 02:12:57.862 – Classic theme upload –  /wp-content/themes/classic/inc/index.php
    • Jan 11, 2023 @ 03:37:58.870 – Another core-stab install
    • Jan 11, 2023 @ 04:15:06.014 – Installation of a new plugin, task-controller, /wp-content/plugins/task-controller/index.php
    • Jan 11, 2023 @ 08:23:26.519 – Installation of WP File Manager (Unsure if by attacker but this plugin is typical with a lot of malware)

    The most common “coincidence” is that all users involved in this attack had their emails listed on at least one public password leak since 2019, which only corroborates the overall findings: the attacker(s) used compromised or leaked accounts to install the malware.

    You can find more details on how the core-stab malware works, as well as detailed detection and blocking information for WP security experts, via WPScan (TODO: link that last bit to the WPScan post).

    Testing and validating our Proof-of-Concept for the malicious code.

    What to do if my site was infected?

    If you find the core-stab plugin installed on your site, the first thing you should do is remove it and then follow these next steps:

    • Change all admin user’s passwords and make sure you’re using multi-factor authentication.
    • Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
    • Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
    • Reinstall all your plugins since they may have been compromised.
    • Review your theme for added or changed files that weren’t added or changed with your consent.
    • Reinstall WordPress core files.

    Finally, at Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.