Over 90 WordPress themes and plugins have backdoors that allow unauthorized access to your website
Backdoor Found in Themes and Plugins from AccessPress Themes
https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/
AccessPress Themes Hit With Targeted Supply Chain Attack
https://blog.sucuri.net/2022/01/accesspress-themes-hit-with-targeted-supply-chain-attack.html
Over 90 WordPress themes, plugins backdoored in supply chain attack
https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plugins-backdoored-in-supply-chain-attack/
Supply chain attack used legitimate WordPress add-ons to backdoor sites | Ars Technica
https://arstechnica.com/information-technology/2022/01/supply-chain-attack-used-legitimate-wordpress-add-ons-to-backdoor-sites/
WordPress gives you the freedom to customize your website by installing plugins that provide themes and extensions that change the look of your website. Jetpack researchers, who develop security and optimization tools for websites that use WordPress , have added a backdoor to the WordPress themes and plugins provided by a company called AccessPress that can illegally gain access to the website. I announced that it was.
The backdoor was found this time with 40 themes and 53 plugins distributed by AccessPress, which are used by more than 360,000 active websites. Jetpack researchers believe that the attacker compromised the AccessPress website in early September 2021 and installed a backdoor, and from the official AccessPress website and mirroring site, themes and plugins including the backdoor. It states that the inn was installable.
When a theme or plugin containing malicious PHP code is installed, it will add an 'initial.php' file to the main theme directory and include it in the main 'functions.php' file. The 'initial.php' file has a function to encode the backdoor, and when you write the backdoor code in 'wp-includes / vars.php', it disappears automatically by the self-destruction function that was pre-installed. is.
The self-destruct feature makes this malware harder to detect, but if your website uses a security plugin that monitors the integrity of your core files, you'll see that the 'vars.php' file has changed. Therefore, it can be detected.
According to Sucuri , a security company that investigated backdoors found in AccessPress, the malware found in connection with this backdoor only provides redirects to spam and fraudulent sites, and such sophisticated attacks are carried out. It seems that it was not. However, it has also been pointed out that a criminal who put in a backdoor may have sold a 'list of websites accessible by a backdoor' on the dark web.
Initially, Jetpack was unable to contact AccessPress easily, but after establishing a communication channel and providing detailed information, the problematic extension was immediately removed. However, if you have already installed a compromised theme or plugin, simply removing, replacing, or updating the theme or plugin will not completely eliminate the planted webshell, Bleeping on IT-related sites. Computer points out.
Bleeping Computer recommends that potentially affected website administrators do the following:
1: Check if there is a function 'wp_is_mobile_fix' on lines 146-158 of the 'wp-includes / vars.php' file, and if it is found, the website has been compromised.
2: Query the file system for 'wp_is_mobile_fix' or 'wp-theme-connect' to see if any files are affected.
3: Replace the core WordPress file with a new copy.
4: Upgrade the affected plugin and switch to another theme.
5: Change wp-admin and database password.
Related Posts:
in Software, Web Service, Security, Posted by log1h_ik