Whoa. I've just been hit with a nasty bit of #WordPress hacking.
A plugin which calls itself "Core Functionality" hiding in `/plugins/informative/testplugingodlike.php`
Seems to have added *thousands* of admin users to my sites.
Very odd and concerning. Not using multisite. Each has a different (normal) admin password. Some use MFA.
WTAF??
Looks like it pulls in a script from `94.156.79.8` and does a bunch of other shady shit.
I see it discussed at https://www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-techniques-used-in-the-wordpress-org-supply-chain-attack/
But I don't have any of those plugins.
On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin (see post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins). After adding the malicious code to our Threat Intelligence Database and examining it, we quickly discovered ...Read More
I did have PowerPress (which is mentioned at https://www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords/)
But that was only one site.
How did it hit the others?
Update #1: As of 12:36PM EST, another plugin has been infected. We’ve updated the list below to include this fourth plugin and the plugins team has been notified. Update #2: As of 2:20 PM EST, two more plugins appear to have malicious commits, however, the releases have not officially been made meaning no sites should ...Read More
If you've been hit, a quick way to find all the compromised plugins is:
grep -r --include="*.php" "94\.156\.79" .
That should show which files to delete.
Not really how I wanted to spend my evening TBQH!
This is what my #WordPress sites looked like last night.
There's no way to bulk delete this many users in the interface. I had to go into MySQL and do
`DELETE from wp_users WHERE ID > 1`
(Or whatever the highest ID is of legitimate users)
@Edent if you were hit by one thing, there’s every chance you got hit by another attacker too - I would beware of any one heuristic and (at minimum) diff your install off a clean download of Wordpress (and the plugins you use). Also check for running processes!
I’ve cleaned up a few of these messes in my time, and they’re always nasty - good luck
@popey All on the same host. But it is a managed service. I can only get in via SSH. So not sure how something would be able to execute a script to grab all the different DBs.
But it is late, so I'm probably missing something obvious!
Terence Eden
Jem
Kestral
Ernie Smith
Gabor Heja
Gaelan Steele
mastazi
Jay Holtslander
popey
lown
Dragon
Rob "Flack/Commodork" O'Hara