Linux Malware Targeting WordPress Websites
According to Doctor Web, a new Linux malware has surfaced online, actively targeting WordPress websites. Identified as Linux.BackDoor.WordPressExploit.1, the malware targets both 32-bit and 64-bit Linux versions.
As the identification hints, the malware basically serves as a backdoor for the attackers to gain access to the target sites. The malware exploits 30 vulnerabilities across various WordPress plugins and themes to infiltrate a website. That means the WordPress-based sites running the vulnerable plugins are typically at risk of this backdoor infection. These include,
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- WP GDPR Compliance Plugin
- Yellow Pencil Visual Theme Customizer Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Google Code Inserter
- Total Donations Plugin
- Thim Core
- Post Custom Templates Lite
- WP Quick Booking Manager
- Blog Designer WordPress Plugin
- Faceboor Live Chat by Zotabox
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WordPress ND Shortcodes For Visual Composer
- WP-Matomo Integration (WP-Piwik)
- WP Live Chat
- Coming Soon Page and Maintenance Mode
Besides attacking the site, the attackers may command the malware to pause action logging, switch to standby mode, or even shut down.
Doctor Web also highlighted another variant, Linux.BackDoor.WordPressExploit.2, that exploits more vulnerabilities in the following plugins.
- WordPress Coming Soon Page
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- WordPress Delucks SEO plugin
- Social Metrics Tracker
- Rich Reviews plugin
- WPeMatico RSS Feed Fetcher
Watch Out for This Malware
Elaborating on the details in their post, team Doctor Web has urged all WordPress admins to remain vigilant regarding their sites’ security. Specifically, users must ensure keeping their sites up-to-date with the latest themes, plugins, and CMS versions.
Moreover, this backdoor can also hijack websites’ admin accounts, which means infected websites may remain compromised even after updating to the patched theme/plugin versions. Hence, users must ensure setting up strong login credentials for all associated user accounts.
Let us know your thoughts in the comments.