
Researchers came with a warning that attackers were seen installing the abandoned Eval PHP plugin on compromised WordPress sites for backdoor deployment.
With an Eval PHP plugin, the threat actor can insert PHP code into the pages and posts of WordPress sites and then execute every time the posts are opened.
The malicious code uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor. The backdoor will be injected into the file structure when threat actors visit one of the infected posts or pages.
Starting this month, threat actors are installing the Eval PHP plugin on compromised WordPress sites and using it to inject malicious PHP code into web pages.
The plugin was last updated 10 years before, and the plugin rarely had 1 download a day. Around March 29, the researchers observed daily downloads spike to 7,000. Then, every single day, the plugin totaled 3k-5k downloads, while the total number of downloads reached 100,000. The surge of downloads is due to the hacking campaign conducted by the threat actors.
The experts explained that the PHP backdoor can hide requests as cookies to avoid detection. In the attack, observed threat actors successfully logged into WordPress admin and created malicious pages using the real site administrator.
On some of the compromised sites, researchers observed the presence of malicious admin users with random names and outlook.com emails.
Researchers conclude that the old and abandoned plugins that are still present in the official repository pose a security risk.
Attack originated IPs
- 91[.]193[.]43[.]151
- 79[.]137[.]206[.]177
- 212[.]113[.]119[.]6
This research was documented by researchers from Succuri.