wysija-newsletters WordPress infection

infected wordpress websiteThis weekend (yes we work weekends) we saw an outbreak of VPS and dedicated servers infected by what appears to be a vulnerability in the wysija-newsletters (MailPoet) WordPress plugin.

This plugin was identified as vulnerable over 2 weeks ago and the authors have released a new version. If you’re reading this, then please, please, please, update your plugins immediately and set a reminder in your smartphone, your computer or anywhere and every where else, to check your WordPress and your plugins for updates every 3 days at a minimum.

Hosting accounts, whether the are VPS’s, dedicated servers for on a shared hosting account were hit.

Basically almost every .php file on an account was injected with code across the top of each file. In addition two files were uploaded as well. Usually we saw one license.php file and then another backdoor shell either in the wp-admin or wp-includes folders. Most of the license.php files we found were 201 bytes in size.

One other point of entry left by the hackers is an administrator user with no name. This user must be deleted and all plugins updated.

You’ll notice that all the original date/time stamps of the files are kept. This leads us to believe that the backdoor shell they’ve uploaded allows them to modify almost anything about a file.

The vulnerability allows hackers to bypass admin authentication in wysija-newsletters plugin and upload files. The hackers access those files remotely and start injecting their malicious payload into every .php file their program can find. This means that it will cross sub-domains on the same account.

The attacker will upload a file to: wp-content/uploads/wysija/themes and run it. Fortunately, our protection does not allow php files to be executed in the uploads folder – so even before this was discovered, many of our customers were already protected.

If you have a VPS or dedicated server with only one cPanel and all your sites under that, then basically every website is probably infected on your server. If you’re on a shared hosting account with multiple websites and one of them has the wysija-newsletters plugin (MailPoet), then chances are that all of your websites are infected.

We’ve been working feverishly to get this cleaned up, but some of the infections overwrite the existing file and they’re not always very good. Frequently we’ve have to replace plugins and/or themes because there is code missing from the file after the infection.