Researchers have found a fake WordPress plugin which is targeting the WordPress. It is called WP-Base-SEO and is a forgery of the legitimate search engine optimisation plugin named WordPress SEO Tools, the security firm SiteLock said.
According to the SiteLock, at the first glance, the file appears as a legitimate one, including documentation of how it works exactly and a reference to the WordPress plugin database. However, a closer look, reveals that this plugin has a malicious intent in form of a PHP eval request in base64 encoded form.
The Eval is a PHP function which executes an arbitrary PHP code and is frequently used for various malicious purposes. Eval has been abused so much that the php.net recommends against using it.
This malicious WP-Base-SEO plugin’s directory holds two files. One of them is wp-sep.php which uses a different function and variable names depending on install. The second is wp-seo-main.php which uses a native WordPress hook functionality to attach the above-mentioned eval request to the header of website’s theme.
Now, the attackers have back-door access and they can force sites to do whatever they desire.
“Some versions include an additional hook that runs after each page load. This means that anytime the theme is loaded in a browser, the request is initialized,” SiteLock notes in the report.
You Can’t See It
Researchers have found many sites which got infected by this malware, but researching for the plugin name on the Internet reveals no information. This just suggests that this malware has gone completely undetected until now.
“If you find a suspicious plugin in your /wp-content/plugins directory, it is best to delete the entire folder and reinstall a clean version of the plugin either in the WordPress admin dashboard or by downloading it directly from WordPress.org,” researchers conclude.