This section describes malware that embeds malicious code in cookies in WordPress.
Hackers are sending malicious code to servers in more ways than just $_POST and $_GET
The most common way to send information to a server is with the $_POST or $_GET function.
The sample code to receive data on the server side with $_POST is shown below.
$data = $_POST['data'];
However, some recent malware has appeared that uses the $_COOKIE function to send malicious code to the server.
The $_COOKIE function is a special function called a super global function that can hold values across pages, and is originally intended to hold temporary user cart data on the browser side for e-commerce sites, etc. However, it is also possible to write arbitrary data to $_COOKIE, read it on the server side, and execute it. It is also possible to write arbitrary data to $_COOKIE and have the server read and execute it.
Malware that uses COOKIE as an illegal data transmission method has the structure shown in the figure below.
First, $_COOKIE[36 -35] is checked to see if the malware code exists in the transmitted data.
The reason why $_COOKIE[36 -35] and so on are used is to avoid detection of malware.
If malware code is found in $_COOKIE[36 -35], the code is written out by fputs(), resides in the server’s memory, and finally unlinks’ the physical file to delete the malware.
Why would a hacker send malicious code via $_COOKIE? How to stop server-side execution via $_COOKIE?
The reason why hackers send malicious code via $_COOKIE may be to ensure that the malicious code is executed on the server side, bypassing the $_POST and $_GET outgoing data inspection.
To stop the execution of such malicious code via COOKIE, it is necessary to detect and remove the backdoor program that receives it and performs malicious activities on the server side.
These malicious backdoors can be detected and removed with the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
However, the plugin may have limitations in detecting new malware that has not yet been patterned for detection.
We hope you find this information helpful.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
