Categories
Security

Using Innocent Roles to Hide Admin Users

Using Innocent Roles to Hide Admin Users

All across the internet, we find guides and tutorials on how to keep your WordPress site secure. Most of them approach the concept of user roles, but not many actually approach the capabilities of those roles.

The way the capabilities are handled on WordPress makes it quite easy to change what each role is allowed to do.

How WordPress Sets Role Capabilities

First, let’s take a look at how WordPress manages the capabilities of the roles and what they are allowed to do, such as:

  • add users;
  • remove users;
  • create posts;
  • delete posts, etc.

Continue reading Using Innocent Roles to Hide Admin Users at Sucuri Blog.

Categories
Security

Multiple Ways to Inject the Same Tech Support Scam Malware

Multiple Ways to Inject the Same Tech Support Scam Malware

Last month, we shared information about yet another series of ongoing massive infections using multiple different vectors to inject malicious scripts into WordPress websites.

Shortly after, the campaign changed the domain names used in its scripts. Now it mainly uses hotopponents[.]site and learningtoolkit[.]club.

At the time of this writing, PublicWWW finds the most common patterns of this malware on thousands of sites:

  • “var _0xfcc4=” – 8501 sites
  • “hotopponents.site/site.js” – 3636 sites

Database Injections

Multiple variations of the injected scripts have been found.

Continue reading Multiple Ways to Inject the Same Tech Support Scam Malware at Sucuri Blog.

Categories
Security

Backdoor Uses Paste Site to Host Payload

Backdoor Uses Paste Site to Host Payload

Finding backdoors is one of the biggest challenges of a website security analyst, as backdoors are designed to be hidden in case the malware is found and removed.

Website Backdoors

A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.

Continue reading Backdoor Uses Paste Site to Host Payload at Sucuri Blog.

Categories
Security

Outdated Duplicator Plugin RCE Abused

Outdated Duplicator Plugin RCE Abused

We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file.

These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin.

Versions lower than 1.2.42 of Snap Creek Duplicator plugin are vulnerable to a Remote Code Execution attack, where the malicious visitor is able to run any arbitrary code on the target site.

Continue reading Outdated Duplicator Plugin RCE Abused at Sucuri Blog.