Categories
Security

Using Innocent Roles to Hide Admin Users

Using Innocent Roles to Hide Admin Users

All across the internet, we find guides and tutorials on how to keep your WordPress site secure. Most of them approach the concept of user roles, but not many actually approach the capabilities of those roles.

The way the capabilities are handled on WordPress makes it quite easy to change what each role is allowed to do.

How WordPress Sets Role Capabilities

First, let’s take a look at how WordPress manages the capabilities of the roles and what they are allowed to do, such as:

  • add users;
  • remove users;
  • create posts;
  • delete posts, etc.

Continue reading Using Innocent Roles to Hide Admin Users at Sucuri Blog.

Categories
Security

Hackers Change WordPress Siteurl to Pastebin

Hackers Change WordPress Siteurl to Pastebin

Last Friday, we reported on a hack that used a vulnerability in the popular WP GDPR Compliance plugin to change WordPress siteurl settings to erealitatea[.]net. At that time it was not clear who was behind the massive attack, since the erealitatea[.]net domain didn’t work and the infection simply broke the compromised sites. Our SiteCheck scanner detected the infection on about 700 sites over the weekend and PublicWWW now currently returns 573 results.

Continue reading Hackers Change WordPress Siteurl to Pastebin at Sucuri Blog.

Categories
Security

Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability

Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability

We have noticed a growing number of WordPress-based sites that have had their URL settings changed to hxxp://erealitatea[.]net. Further investigations show that the issue is related to a security vulnerability in the WP GDPR Compliance plugin for WordPress (with 100,000+ active installations).

The new General Data Protection Regulation (GDPR) laws in the EU have made the plugin extremely popular. Many sites are looking for an easy way to comply with these new laws, and adding this plugin is a simple solution for many website owners.

Continue reading Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability at Sucuri Blog.

Categories
Security

Saskmade[.]net Redirects

Saskmade[.]net Redirects

Earlier this week, we published a blog post about an ongoing massive malware campaign describing multiple infection vectors that it uses. This same week, we started detecting new modifications of the scripts injected by this attack.

The general idea of the malware is the same, but the domain name and obfuscation has changed slightly.

For example, in the wp_post table they now inject this script:

<script src='hxxps://saskmade[.]net/head.js?ver=2.0.0′ type=’text/javascript’>

In the section of HTML and PHP files, and at the top of jQuery-related JavaScript files, they inject this new obfuscated script:

var _0x1e35=[‘length’,’fromCharCode‘,’createElement’,’type’,’async’,’code121′,’src’,’appendChild’,’getElementsByTagName’,’script’];(function(_0x546a53,
…skipped…

Continue reading Saskmade[.]net Redirects at Sucuri Blog.