True or false: Technical Analysis of WordPress black hat SEO plug-in

True or false: Technical Analysis of WordPress black hat SEO plug-in

In Wordpress, malicious programs are usually hidden in Plug-ins or themes. They have different forms. Some send spam, some implant invisible links ...... However, the principles of such malware are well understood. They are nothing more than the functions required by the website administrator in the malicious plug-in. Then, the website administrator installs the software directly without rigorous confirmation.

Interesting black hat SEO plug-in

Just this week, I met a typical black hat SEO plug-in, and its implementation method is very interesting.

‍‍The core file of the malicious plug-in is under the root directory of the website. By using this file, hackers inject the following code into the Index. php file.‍‍

if ( file_exists( 'wp-core.php' ) ){ require_once( 'wp-core.php' ); }

Index. php injection like this looks very suspicious and also tells us that the wp-core.php is not installed because it will break through the Wordpress conventions.

Next, let's look at the wp-core.php file.

‍‍‍Analysis‍Wp-core.php files‍‍

The file contains more than 500 lines of code. In its comments, the plug-in was developed to protect Wordpress CMS from Brute-force attacks, in addition, 302 redirection is used for protection, and the first loading is required.

In the middle of the file, I found the "bootstrap" code.

First, he injects the Bruteforce protection code into the wp-login.php.

Add the onsubmit administrator to the logon form and set "antibot_ajax" cookies. Then, a code is added to check whether cookies are set. logon is not allowed if no cookies are set. In this way, it seems that the operation against robots has actually protected the user, without any malicious means.

Next, let's take a look at the "Auth 2nd level" code:

This looks even more suspicious. It injects a piece of encrypted code. We decrypted the code and were surprised to find that the code was normal. As the plug-in author said in the remarks at the beginning, this is the second verification. If the login name and password are valid, the user's email address will be retrieved from the WP database. The password will be replaced from the third character until the @ symbol location. Finally, the email address must be verified.

Therefore, even if the robot supports Javascript and cookies and is lucky enough to pass the first anti-bot protection, the second layer will fail because the second layer of protection requires mailbox verification. In this way, even if someone steals your Wordpress Password, you will not be able to log on if you do not confirm your mailbox.

After the user confirms the email address, there will be an additional setup step‍‍WP_FLV_EMAIL_CONFIRMED‍‍The cookie is set to save for 1000 days, so they do not need to perform email verification every time they log on.

The final "bootstrap" section contains the code that injects the wp-core.php into index. php (you can see at the beginning of the article ). It ensures that bruteforce protection is always available, and if the code in the wp-login.php is removed, it can fix it on its own.

If we forget to add functionality to Wordpress in unconventional ways, this code can indeed provide powerful protection mechanisms. Of course, this does not seem so perfect and does not play a major role in targeted attacks, especially when attackers understand this protection mechanism. However, it is undeniable that this protection mechanism will indeed solve unnecessary problems for webmasters. At least this protection mechanism can prevent 95% of automatic enumeration attacks.

After talking about it for a long time, is this plug-in really a rare outstanding plug-in? I will tell you that less than 500 lines of bootstrap Code are in the wp-core.php over 100 lines of code? So what is the remaining 80% code?

Malicious codes in wp-core.php‍‍

The remaining 80% codes are not protected.

For example, it can display all emails stored in the Wordpress database. If you do not need authorization, you can extract the email address, and the previous protection will become meaningless.

At the same time, an open redirector is installed. Now hackers can send spam to webmasters who use bruteforce protection, phishing, or redirect website visitors to a website specified by hackers.

Instance demo

‍‍The main function of the wp-core.php is to manage pharma-spam doorways. If a blog URL has its specific parameters (such as "th", such as http: // www. example. com /? Th = doryx + 150 mg + exclusi.pdf) then the wp-core.php will replace normal Blog content with junk content.
If visitors are not robots, they are from search engines. It will redirect to other websites through a separate keyword.

Before the redirection, the malicious plug-in sets a cookie with the same name as the URL parameter. In the next 100 days, if the same visitor opens the web page again, it will still jump to other pages.

If visitors do not have cookies, they are not from the search engine. In this way, the page accessed by the visitor will display a large amount of junk content.

The junk content is stored in the wp-admin/update-backup.db file.

Versatility

‍‍It must be mentioned that although this is a Wordpress plug-in, it can also run in other PHP sites. The only difference is that the WP-specific function cannot be used.

Summary

‍‍In short, this plug-in is really strange.‍‍It tries to target all types of PHP sites and inject itself into index. php. However, the main target is the Wordpress site.

This explains why it was named after the wp-core.php and not so conspicuous under the Wordpress root directory, but the file looks very dazzling under the website built by Joomla or vBulletin.

Wp-core.php files are easily vulnerable to security plug-ins by detecting and killing Wordpress core integrity. This plug-in package contains some features that can optimize Wordpress to attract the attention of users.

Finally, the Wordpress plug-in vulnerability is frequently reported recently. I hope you will carefully review the various plug-ins to avoid any mistakes.