Whoa. I've just been hit with a nasty bit of #WordPress hacking.
A plugin which calls itself "Core Functionality" hiding in `/plugins/informative/testplugingodlike.php`
Seems to have added *thousands* of admin users to my sites.
Very odd and concerning. Not using multisite. Each has a different (normal) admin password. Some use MFA.
WTAF??
Looks like it pulls in a script from `94.156.79.8` and does a bunch of other shady shit.
I see it discussed at https://www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-techniques-used-in-the-wordpress-org-supply-chain-attack/
But I don't have any of those plugins.
On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin (see post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins). After adding the malicious code to our Threat Intelligence Database and examining it, we quickly discovered ...Read More
I did have PowerPress (which is mentioned at https://www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords/)
But that was only one site.
How did it hit the others?
Update #1: As of 12:36PM EST, another plugin has been infected. We’ve updated the list below to include this fourth plugin and the plugins team has been notified. Update #2: As of 2:20 PM EST, two more plugins appear to have malicious commits, however, the releases have not officially been made meaning no sites should ...Read More
@popey All on the same host. But it is a managed service. I can only get in via SSH. So not sure how something would be able to execute a script to grab all the different DBs.
But it is late, so I'm probably missing something obvious!
Terence Eden
popey
lown
Dragon