Thousands of WordPress sites infected with malware PROTECT YOURSELF!

In the last hours thousands of sites created with WordPress have been infected with a malware called visitorTracker_isMob also known as VisitorTracker which uses infected websites as zombie servers to redirect traffic to a page with an exploit that attempts to infect visitors' browsers, there is nothing.

Although the malware is not new, it has been in the last two days when it has shown itself to be really active, as reported by Securi's blog . If you look at the following graph you will see that the increase of infected WordPress sites has been tremendous.

 Sucuri-VisitorTracker-Malware-Campaign-II "width =" 838 "height = "477" srcset = "http://bootstrapx.com/wp-content/uploads/2018/06/Sucuri-VisitorTracker-Malware-Campaign-II-840x478.png 840w, https://ayudawp.com/wp- content / uploads / 2015/09 / Sucuri-VisitorTracker-Malware-Campaign-II-550x313.png 550w, https://ayudawp.com/wp-content/uploads/2015/09/Sucuri-VisitorTracker-Malware-Campaign-II .png 994w "sizes =" (max-width: 838px) 100vw, 838px "/> </a></p>
<h2><span id= What malware does

What malware does is inject code like this:

function visitorTracker_isMob () {
var ua = window.navigator.userAgent.toLowerCase ();
if (/ (android | bb d + | meego). + Mobile | avantgo | bada | / | blackberry | blazer | compal | elaine | fennec | hiptop | iemobile | ip (hone | od) | iris | kindle | lge | maemo | mi .. | v400 | v750 | veri | vi (rg | te) | vk (40 | 5 [0-3] | -v) | vm40 | voda | vul c .. | vx (52 | 53 | 60 | 61 | 70 | 80 | 81 | 83 | 85 | 98) | w3c ( – | ) | webc | whit | wi (g | nc | nw) | wmlb | wonu | x700 | yas – | your | zeto | zte – / i.test (ua.substr (0,4))) {
return true;
return false;
} / * .. visitorTracker .. * / / *

This code interacts with a second backdoor on the site that forces the browser to load a malicious frame from the pages where a Nuclear Exploit Kit is installed.

The effect is, as you can see in the following screenshot of the Coverity security company server, which was hacked, it is an iframe that loads and makes the browser direct to the page of the exploit kit, in this case in vovagandon.tk (changes regularly).

 nuclear-ek-coverity "width =" 655 "height =" 282 "srcset = "http://bootstrapx.com/wp-content/uploads/2018/06/nuclear-ek-coverity.png 655w, https://ayudawp.com/wp-content/uploads/2015/09/nuclear-ek- coverity-550x237.png 550w "sizes =" (max-width: 655px) 100vw, 655px "/> </a></p>
<h2><span id= How to identify malware

that the behavior can vary, in many places have appeared files called sample.php practically in all the directories of the installation.

Anyway the safest thing is to always have active a plugin of permanent scanning of changes, such as Wordfence or check your web in online scanners like this .

How do I get rid of malware

As with any other malware infection you have to perform a cleanup total of your site, to go through:

  1. Update WordPress to the latest version of the official site. Upload all files and folders except / wp-content / .
  2. Delete all plugins, also those for payment, and install new and safe versions.
  3. Delete all files that are not the installation of WordPress and you have not clearly identified its source.
  4. Check the folders and subfolders of uploads and delete any PHP file you find.
  5. Delete all the themes, active and not, also the of payment, and it loads a new and safe version of them, especially the active one.

How I protect myself against future injections of malware

We have seen it already many times but the rules are these:

  1. Keep WordPress updated always to the latest version.
  2. Keep the plugins and themes updated to the latest version.
  3. Use strong passwords. WordPress offers them to you, accept them and do not use the usual ones.
  4. Change the WordPress and FTP administrator passwords regularly.
  5. Do not use the default prefixes of the WordPress database.
  6. WordPress protects against brute-force attacks .
  7. Protects WordPress against SQL injections .
  8. Follows step by step the guide to avoid WordPress malware
  9. Install a good security and scanning plugin for WordPress .
  10. Subscribe to WordPress Help and check all security guides I publish .

NOTICE : This publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say that we have not warned you.

Loading …

That may also help you:

SoakSoak malware infects tens of thousands of WordPress • WordPress Help

It has been reported for hours that there are tens of thousands of WordPress sites compromised by malware infection known as SoakSoak .

Many users are finding out when Google's detection systems do not allow access to their sites, but it is a warning to all.

What happens is that the attacker accesses the file wp-includes / template-loader.php and includes the following:

This causes that add the following to the file wp-includes / js / swobject.js :
[19659002] This malware, when decoded, loads a malware in javascript from the domain SoakSoak.ru in particular it is you file: hXXp: //soaksoak.ru/xteas/code

If you are already infected, the emergency solution is to replace the compromised files with clean ones downloaded from WordPress.org, then load a full version clean both WordPress and plugins and themes.

Once done, now, install some security plugin as WordFence or the one you like, but has integrated firewall and detection early modified files.

Is WordPress really safer by changing the prefix of the database? • WordPress Help

One of the most common advice given (me too) about WordPress security is do not use the default WordPress prefix for database tables but does this change really improve WordPress security?

 protect wordpress

Either from installation or later (see link in previous paragraph) ), using a different prefix for the database tables is a basic WordPress security tip to avoid SQL injections .

As you already know, WordPress by default uses the prefix wp_tablename but is it really a security improvement to use another one like mistablas_nombretabla ? Let's see arguments

What is an SQL injection?

 sql injection

To begin with it's good to know what exactly is an SQL injection . To summarize, a SQL injection offers the attacker the possibility of injecting SQL code through some input path that is available to visitors (visible or not) and that can be executed from the database server, which in the case of WordPress would be the MySQL server where it is hosted.

For example, imagine that instead of entering an email address in a registration form the attacker enters SQL code that makes a list of all the records in the table wp_users which is where all the data of registered users of a WordPress is saved. It gives miedito no?

If so, once sent the form, instead of rejecting the SQL code, the web runs it and the database server would deliver the contents of the table wp_users to the attacker.

An SQL injection, that is, the execution of code through an entry path to a web is the typical result of a problem with the code of a form, a plugin, the theme or any other component of the WordPress installation. And it is possible almost always because the gateway for visitors has not been sanitized so it allows the introduction of SQL code.

It's basically that. In a typical installation of WordPress the attacker will also be able to write to the database, which is even more dangerous as we will see later.

As in everything, there are many variants of possible SQL injections some really gimmicky, but it's good that you have an overview of how an SQL injection works, the impact it can have if it is carried out (read or write in the database) and, above all, how it can be avoided. [19659005] Now let's see how this affects a typical installation of WordPress and if a change in the prefix of the database influences the time to avoid SQL injections, do you think?

Names and tables in the database of WordPress

We have already seen on several occasions which are the tables of the WordPress database and what each table is for, but there is never a new review, and what we are talking about today is a reminder comes from pearl. [19659005] Basically, WordPress installs by default 11 tables that, if you do not modify it, will have the prefix wp_ so if you have not made any changes they will be:

  • wp_commentmeta
  • wp_comments
  • wp_links
  • wp_options
  • wp_postmeta
  • wp_posts
  • wp_terms
  • wp_term_relationships
  • wp_term_taxonomy
  • wp_usermeta
  • wp_users

If you understand some English, just by looking at the names of the tables you can guess easily what is stored in each table. For example, it is easy to imagine that in the table wp_comments comments are stored or that in wp_options is where the settings are right?

Exploiting an SQL injection in WordPress

]  insecurity wordpress

Let's get into the realms of Mordor so choose your best weapon and trust the ring community (or the WordPress community) hehe

Imagine that one of the plugins that you have installed in your WordPress is vulnerable to an SQL injection, something that is not uncommon, it is the most frequent way of vulnerabilities. An attacker who wants you the first thing you would do would be to scan your WordPress installation with tools like WPScan to have the list of the plugins you have installed, even those that are disabled. If when looking at the list it detects that one of them is vulnerable to injections SQl will already have half the work done, if not the most.

The next thing he would do is exploit the SQL injection for what he would execute some codes like Next, the usual ones to manually create an administrator in the WordPress database, there's nothing:

What do those codes do? As nothing more and nothing less than the attacker can create a WordPress user with administrator privileges on your website, which will immediately get access to your WordPress desktop with full access.

On other occasions the attacker not only creates an new admin user but also changes the current password and, by the way, leaves you without access, a symptom that when you see it and is slow to react.

Why the attacker can create an administrator?

Knowing in advance that your website is made with WordPress and that it is vulnerable to SQL injections due to some vulnerable plugin or whatever you may have seen, the attacker only needs basic configuration knowledge of the WordPress database, something fully documented in the same WordPress.org website

Guessing database table names

If the prefix of the WordPress database on the site is the default one, that is wp _ the attacker can easily execute code and read or write information in the tables.

If you change the prefix of the WordPress database, for example to MordorX25_ the attacker can not Read or write in the database so easily since you do not know the names of the tables. This is true even if you have done the SQL injection and the code is exploitable, because they would not have any effect when you did not find an objective to act on.

Yes, changing the prefix of the WordPress database tables improves WordPress security

The – good – idea of ​​changing the prefix of the WordPress database tables is old, in fact from the first versions of WordPress, to avoid SQL injections that could create users and inject spam or malware The only way to quickly stop them was to change the default names of the tables.

Does this mean that I'm safe just by changing the prefix of the WordPress database tables?

Of course not. Changing the prefix of the tables in the WordPress database is a very good security measure, and it stops an infinity of attacks on the database, but it's not the only way they can enter your site.

Most of the time the culprits of a WordPress attack are badly programmed or not updated plugins, the reality is that you can get access to a WordPress installation in other ways, for example through social engineering, stealing passwords and any other method that imagine Everything will depend on the interest that your site provokes in the possible attackers, and with the plague of spammers that invades us, nobody is 100% sure.

So, in addition to changing the prefix of the tables in the database apply these 15 rules to have a bomb-proof WordPress you'll be happier.

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say that we have not warned you.

Loading …

That may also help you:

Massive attack of "malware" to WordPress sites

A couple of days ago an attack was mainly directed against sites created with WordPress whose intention is to break the infected websites and to inject spam in them.

Does your WordPress enter any of the previous points ?. If you meet the conditions 2 and 3 and it takes to fix it before receiving attacks that you could easily get rid of.

It tries to infect WordPress installation files, either from the kernel or from plugins and themes, and an easy way to detect it are visible errors that are displayed instead of the site, such as …

Parse error: syntax error, unexpected ')' in / home / user / public_html / site / wp-config .php on line 91

Well the solution is not comfortable but it's simple: reinstall a clean version of WordPress and all the plugins and susceptible themes, as well as the WordPress configuration files .

WordPress hacked with the XSS UTF-7 • WordPress Help

 injection xss wordpress

Today Jorge warned me that his site had been hacked by a really strange system which replaced the code of " title " of its WordPress by a really cryptic text string and, incidentally, had changed the encoding of the site to UTF-7 between other niceties.

After the initial scare, and a few searches and calls to your hosting provider, you have been giving the problem and the solution .

The visible part of hacking may vary, and in this Google search you have several possible examples of what " tuned " your website may be once at the mercy of hackers, but the worrying thing was the change of coding, which He alluded to fat problems.

Well, looking here and there, J orge has found more than one WordPress user that had happened to him, like this or this other where there was already an analysis of where the shots could go. [19659005] And the culprit seems to be a Apache XSS vulnerability which would allow to change the encoding, which is what they were targeting in WordPress Answers .

The case is that this is bringing quite a debate in the forums of Unix and Apache, because there are those who say that the problem is Internet Explorer but the reality is that the site is hacked, put as they are

The vulnerability would be something like this:

    1. Someone sends a comment text of type + ADw-script + AD4-alert (+ ACI-Hello + ACI -) + ADw- / script + AD4- . And any validation passes.
    2. The database expects all incoming data to be UTF-8 and treats it as such. And since the UTF-7 strings are also valid in UTF-8 this causes a SQL error, which neither mysql_real_escape nor htmlspecialchars will play.
    3. WordPress sends a header text /html;charset=utf-7.
    4. WordPress shows the comment, waiting for the data, but since it is treated as a UTF-7 by the browser, the JavaScript is executed.

    The case is that most browsers do not support UTF-7 so they will show the string as UTF-8 or Windows-1252, but the reality is that the possibility of someone doing a hack to the web executing codes of this mode is there.

    Is there a solution?

    Well thankfully yes, and first, and do not say I have not warned you times, it is to have WordPress updated . Even Jorge has only happened in the only WordPress he had without updating to the latest version, so you know.

    What does not fix the problem is to change the coding in the database to UTF again -8 because you still would not know where you came from, so I refer to the previous sentence: is looking for an initial WordPress without updating yours or a hosting neighbor (that it's the bad thing.)

    Once there recover a recent backup and install the latest version from scratch to make sure you have the site clean of any code that could have been injected using JavaScript . Follow the routine for protect WordPress from malware .

    In the part of Apache to stay calmer, there are several settings that can be made as well that talks to your provider to make sure.

    And nothing else, if perhaps Jorge will tell us how he has gone with the matter, and point out some more detail, or yourself if it has happened and you have arrived to better conclusions about this problem. I have thought it important to share your problem and the solutions found so that you are warned and put countermeasures .

    NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

    Loading …

    That may also help you:

Protect WordPress against SQL injections • WordPress Help

If you are suffering eventual – or frequent – SQL injections in your WordPress that put scripts in your theme files or even WordPress installation files you can, and should, protect WordPress against this type of intrusions, really dangerous.

My advice to avoid this type of attacks, more and more frequent, would be to follow these steps:

WordPress security suite

Lately, joined to the growing popularity of WordPress there are increasingly unpresentable trying to inject malware and other types of malicious software in WordPress installations, which somehow goes to certify the coming of age of this CMS and, consequently, the interest of all, with good and bad intentions.

Actually, keeping a WordPress Safe is relatively easy, you just have to follow some advice from WordPress security but it never hurts to help yourself with tools, and the more powerful the better.

Well, what I'm going for you to present here today is to date the best I've seen to ensure a WordPress installation

I'm talking about the best WordPress security plugin I've ever known with the what have I been doing tests for almost a month and with some really remarkable results.

I am referring to Wordfence Security a complete security suite for WordPress and to a level of completely corporate professionalism, that have nothing to envy to tools that cost thousands of euros.

The best thing is that the free version is really complete although the best option is the Pro pack for only $ 17.95 a year and site, which is not money if we care for our website.

But hey, it's best to make a list of features, and I'll point you to the pack that covers them:

  • Traffic in real time that shows when you visit the bots of search engines (and others), being able to discriminate by users, IPs and more – Free
  • File scan of the installation of WordPress for search of infections. In case of finding differences, it offers links to see the differences in the code, edit the file or delete it, and if you want to ignore the alert, until new changes or always. You can also restore the original file from the official WordPress.org repository with a click (not recommended for non-English installations, because it compares them to the English version and, for example, in Spanish, always detects location changes ) – Free
  • WordPress installation non-standard file alert – Free
  • File scanning of WordPress theme to search for infections, offering the same options above – Payment
  • ] Scan plugins to search for infections, and you can also see changes, edit, etc – Payment
  • Scan comments to search for URLs marked as malware websites in blacklists – Free
  • File scanning known malware – Free
  • Scanning of files containing URLs of malware and viruses – Free
  • Blocking of false Googlebot and aggressive crawlers – [1965901] 2] Free
  • Scanning comments to block malware and phishing URLs – Free
  • Hiding the WordPress version – Free
  • Blocking access attacks by brute force – Free
  • View main "content consumers" – Free
  • Hiding user error messages and password in WordPress access – Free
  • View 404 page errors not found – Free
  • Scan of available memory – Free
  • Scan and report of software environment installed on the server – Free
  • Monitoring of disk space – Free
  • Passwords security check – Free
  • Scan DNS changes – Free
  • Monitor dangerous IPs – Free
  • Integrated full firewall, easily configurable via rules – Free
  • Email configurable alerts – Free
  • Scheduled scans – Paid
  • Blocks of access to your web by country, being able to personalize a message or simply make a redirection – For payment
  • Premium support – For payment

As you can see, with this security suite you can uninstall another good number of security plugins since it combines in one it only software the characteristics of many others, whether they are access limiters, plugins to force strong passwords, and many more.

Another wonder is that you do not have to go crazy with the numerous settings that it offers, principle you are offered a series of safety configuration profiles to choose from:

  • Level 0: Disable all security options
  • Level 1: Light protection, only with the basic ones
  • Level 2: Medium protection, the ade for most of the sites, and that works as a joke without touching any setting
  • Level 3: High level of security, to use when there is knowledge of an imminent attack
  • Level 4: Level of Blockade, protects the site against attacks in progress, at the expense of inconvenience for some users
  • Custom level: it is activated only when you change some adjustment.

Anyway, totally recommendable, even in the free version although the most recommended is the Pro Pack, only by scanning the theme and plugins, which make it a essential software for any user responsible for WordPress .

Final note: if you can not afford to pay The Pro pack can complement what is missing from the free version of Wordfence through the plugin File Monitor Plus which scans all the files of your installation in a scheduled way (plugins and included topics) and warns you by email when there are changes.

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

How to avoid malware in WordPress

The popularity of WordPress plays against you in some aspects. The fact that c more and more companies use WordPress for their official websites, e-commerce platforms and corporate blogs makes our beloved WordPress the target of hacking attacks .

And the most common way that hackers use to control a website is usually to introduce malware into code so they can get administrative permissions and, thereby, access all the data on the web to its uses, usually fraudulent.

I have already spoken on other occasions of some measures for ensure WordPress but today I want to make list of the basics, as a reminder, to protect from malware to WordPress .

And so far. These tips are not all possible, but if they are useful for protect WordPress from malware and other dangers.

If you know of any more protection measure tell us in the comments, I'll add it to the list.

Injection of code in WordPress

In Websense Security Labs have warned that there are more than 30,000 WordPress installations already infected by a Trojan that adds redirect code on the affected web.

The infected sites had outdated versions of WordPress, insecure passwords and vulnerable plugins.

After a chain of three-level redirects victims land on a fake antivirus site . The anti-virus scanner seems to perform a computer scan and warns the user by displaying false malware detections of various types of Trojans . The page looks like a Windows Explorer window, with the title of " Windows Security Alert ".

The fake scanning process looks like a Windows application but it's actually a simple pop-up browser window. Then, the fake antivirus asks the "visitor" to download and run an antivirus tool that – supposedly – has found the Trojans. The executable itself is a Trojan what did you expect?

Most of the infected sites are in the US as you can see in this traffic:
[19659002] And the visitors to the fake page are already from a lot of countries, all English-speaking: