Security firm Doctor Web has discovered a malicious Linux program that targets WordPress sites running outdated and vulnerable plugins and themes. The malware is designed to exploit 30 theme and plugin vulnerabilities to inject malicious JavaScript into websites, redirecting visitors to the attacker’s chosen website. It has been active for over three years and has been updated to target additional vulnerabilities.
The malware targets 32-bit versions of Linux but can also run on 64-bit versions. There are two versions of the malware: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. The latter includes an updated server address for distributing the malicious JavaScript and an expanded list of exploited vulnerabilities. Doctor Web’s report speculates that attackers may have a long-term plan to retain administrative access even after users update to newer, patched versions of the compromised plugins.
Doctor Web has released a document containing indicators of compromise for the Linux backdoor malware infecting WordPress websites. The document includes hashes, IP addresses, and domains used by the malware in its attacks. Security professionals and WordPress administrators can use this information to detect and prevent further infections.
To protect against this threat, it is essential for WordPress users to keep their themes and plugins up to date and to use strong, unique passwords. It is also a good idea to use a web application firewall and to regularly scan for malware.
If you suspect that your WordPress site has been compromised, it is essential to take immediate action to secure it and prevent further damage. This may include restoring the site from a backup and installing security measures to prevent future attacks.
