Hackers looking for infected WordPress websites

Investigating some interesting entries in log files from our customers, we see that hackers apparently are still looking for infected WordPress websites.

First we see this:

(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:14 -0500] “GET / HTTP/1.1” 200 72904 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”

The big tipoff here is the size of the GET request: 72904.

And then this:

(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:16 -0500] “ POST ///wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.1” 403 – “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”

We captured the GET request and after comparing it to the attacks on the old, vulnerable version of that WordPress plugin we see that the hackers were doing some open reconnaissance on WordPress sites. We say “open” because this site never had the MailPoet plugin installed.

(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:17 -0500] “ GET //wp-content/uploads/wysija/themes/Gassrini/herewgo.php HTTP/1.1″ 404 45638 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”

The tipoff here is that they’re doing a GET request to: GET //wp-content/uploads/wysija/themes, which is no longer used by the MailPoet plugin. According to the MailPoet.com website: “Open your FTP program or the File Manager from your host’s control panel and navigate to this path:  wp-content/uploads/wysija/  If you see any .PHP files inside this folder (or any sub-folders), then it means your website was hacked.”
(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:19 -0500] “GET //xGSx.php HTTP/1.1” 404 45488 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”
The above is them testing to see if their attack worked. It didn’t.

All of this is just to show that even though you think a previously infected WordPress website may have been cleaned up from any malware, the hackers will always be looking just to be sure you have.

You may want to read about our methods of malware detection: https://wewatchyourwebsite.com/our-methods-for-finding-and-removing-website-malware/
I hope you check it out.
UPDATE:
Let me first say, that the unnamed individual at White Fir Design and I go way back. We were both volunteers at badwarebusters.org. A site created to help people with their infected websites.
His lack of manners and business acumen existed back then as well, as that person was suspended from the badwarebusters.org site for their lack of respect for others.
Apparently the unnamed individual at White Fir Design disagrees with our assessment in the above blog post.
They indicate that we never provide how a website was infected. It seems that this information is provided in the blog posts we create.
How interesting…
That unnamed individual further claims that we only “detect attacks and block them”, therefore their “experience with other products making similar claims is that they provide limited to no protection.” However it clearly states on our website that we find and remove malware as part of our service.
In the above blog post, we specify that the size of the GET request is what tipped us off to this being an open reconnaissance. We know this because of previous, legitimate requests for this same home page were no where near that size – this is a fact that the unnamed individual at White Fir Design could not have possibly known.
The size of this request could mean that the attackers were including some sort of payload in their initial request. We don’t know for sure what was included in the request as log files don’t provide that level of granularity.
It is not the hacker trying to exploit a vulnerability that had existed in older versions of MailPoet as this particular website never had the MailPoet plugin. Never. How can a hacker try to exploit something that never existed? It was the same string as used to attack sites with that plugin, but this site never had that plugin.
That’s why we considered it an open reconnaissance. They were looking.
Our automated process is questioned too. If automation can’t remove malware, then how is it that all the anti-virus/anti-malware products for Windows and Apple computers work?
Just curious.
This person also doesn’t like the fact that we included a link to our methods of detection in the above blog post. Strange that it’s acceptable for them to provide links to other places on their website but not for us.
I felt it necessary to address these issues. That is all.
No Comments

Sorry, the comment form is closed at this time.