As part of Imunify360’s proactive malware research activities, we recently identified that a plugin named Adicionar Banco Inter ao WooCommerce from WordPress repository, which can be used to identify malware in web servers, indeed had active malware inside one of the plugin’s source files.
We first identified the presence of malware in the plugin on 25/05/2021 which affected the version of the plugin 1.6.0, which was then the latest. Upon checking, we have found that the malicious file has been present in the plugin for four months embedded in a file named thumbs.php under the directory /includes/plugins/phpqrcode/bindings.
The Malicious code identified was a PHP based malicious tool which aids hacker/attacker with unlimited file upload capability. Some of the consequences of unrestricted file upload capability in wrong hands can lead to,
- Upload & spread of malware further into the victim server which can be used to execute code.
- Complete system takeover
- An overloaded file system
- Uploading of Deface pages.
- Upload spam content for personal gains, etc.,
After Beautifying the code for better readability it looks like on a screenshot below, which clearly shows that a remote attacker or anyone with direct access to a file can upload files in an unrestricted manner.
Our Team is not sure if this malware file was dropped into the plugin repository by accident or if it was planted there on purpose.
Even though files are not dropped there intentionally, it is still possible for other parties to utilize this script, present in the plugin core files, to exploit it in a remote chance.
Plugin Version with Malware Code (1.6.0)
Fixed Plugin Version (1.6.1)
We have detected this malware code presence using our already existing signature SMW-INJ-18310-php.bkdr.upldr, which has been protecting Imunify360 customers against these types of malware for years already.
Once we have identified the presence of the malware in the plugin we tried to responsibly notify the developers of the plugin on May 26,2021, the details of findings were sent to developer’s official email address. But even after waiting for two weeks we have received no response, nor the malware code was removed from the plugin.
But it’s typical to note that it’s a guideline violation of WordPress plugin policy. So we had reported our findings to the WordPress security team on June 7, 2021 and they were very quick to respond by taking down the plugin from being downloaded further.
After the plugin was closed down for further review the developers of plugin took it to notice and removed malware code from their plugin and released a newer version which was free of malware code.
If you, or some of your end customers used this plugin, please proceed to the regular malware clean-up procedure - that would be enough to keep your server safe.
- 17 ways to improve your cPanel security
- Top 10 Web Hosting Security Best Practices
- WordPress Security Ultimate Guide for 2021
- What are steps to secure a Linux server?
- How to keep your website secure in 2021
- Server security best practices: 10 tips to protect your business from cyber attacks
Please Share Your Feedback
The Imunify product team would like to hear from you. To share your ideas and observations on vulnerabilities like the one described above, please send them to us at firstname.lastname@example.org.
If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify360 support team at cloudlinux.zendesk.com.