Whoa. I've just been hit with a nasty bit of #WordPress hacking.
A plugin which calls itself "Core Functionality" hiding in `/plugins/informative/testplugingodlike.php`
Seems to have added *thousands* of admin users to my sites.
Very odd and concerning. Not using multisite. Each has a different (normal) admin password. Some use MFA.
WTAF??
Looks like it pulls in a script from `94.156.79.8` and does a bunch of other shady shit.
I see it discussed at https://www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-techniques-used-in-the-wordpress-org-supply-chain-attack/
But I don't have any of those plugins.
On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin (see post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins). After adding the malicious code to our Threat Intelligence Database and examining it, we quickly discovered ...Read More
I did have PowerPress (which is mentioned at https://www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords/)
But that was only one site.
How did it hit the others?
Update #1: As of 12:36PM EST, another plugin has been infected. We’ve updated the list below to include this fourth plugin and the plugins team has been notified. Update #2: As of 2:20 PM EST, two more plugins appear to have malicious commits, however, the releases have not officially been made meaning no sites should ...Read More
If you've been hit, a quick way to find all the compromised plugins is:
grep -r --include="*.php" "94\.156\.79" .
That should show which files to delete.
Not really how I wanted to spend my evening TBQH!
This is what my #WordPress sites looked like last night.
There's no way to bulk delete this many users in the interface. I had to go into MySQL and do
`DELETE from wp_users WHERE ID > 1`
(Or whatever the highest ID is of legitimate users)
Terence Eden
Ernie Smith