Wordpress plugins backdoor

[chayton]

Was just reading an article from Wordfence about a plugin that was removed from the repository. This plugin (Captcha) had over 300,000 active installs, so they wondered what was up - they got hold of the plugin, trolled through the code and found an automatic update that installs a backdoor.

A backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.

The backdoor installation code is unauthenticated, meaning anyone can trigger it.
​

This is an extension of the other post I made awhile back about people buying popular plugins and then pushing out updates with exploits. In the article they mention a bunch of other plugins also bought by this same group, and others had the same backdoor built in. For those of you running Wordpress, you may want to check this out.

Full article

You do not have permission to view link Log in or register now.

.

 

[maxd]

Excellent post! Thank you.

 

[chayton]

If you have time, be sure to read the linked article about 'Mason Soiza' (aka Kevin Danna) - who's the dude behind this. Among other things, he's a casino affiliate, and I've seen at least one of his sites where he's linking to some pretty decent casinos (for instance Mr. Green and Royal Panda)

Makes me wonder if this kind of hack is behind the "Man gets kicked out of car dealership and then comes back with his Ferrari after winning at xy casino...." stories that seem to be popping up on various non-gambling websites.