On 2nd May 2021 around 7AM we found out that one of client website showing suspicious behaviour such as high number of server resource usage and high number of error log. Upon inspection we found out that the site has been hijacked through plugin vulneribility stated here: https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89
Through it we able to confirmed that a new admin account has been created. Thankfully the websites only being used by customer just for products landing page. Thus there are no customer details nor information leaked by this intrusion incident.
The cause of this issues is because the customer used the unlicensed product, not null, but probably from gpl seller which means user will not get update notification unless they licensed this products. Its really risky to use such products in production environment in anyway.
Back to the topic, below is the admin user that has been created by the intruders;
We take immediate action by suspended and delete the admin access, update the plugin to version 4.1.11 (the vulnerability was fixed at v 4.1.7).
Then we we do inspection via wp cerber to detect additional intrusion and core wordpress file modification. The result is as predicted, it seems the “index.php” of the wordpress core files has been modified and injected with malicious ads redirect code and some SEO script.
This behaviour has became a trend among hackers where they help to improve the website SEO in order to increase the number of visitors so that they can generate more income from the malicious redirect injected code. This we will discuss it here.
After do the full inspection, we has identified the threat behavior, we do again the scan against the remaining site within the same server with the client use to look for possibilities for another website being infected, and we found another one has been intruding the same way as the first detected website.
As the client website first sign of intrusion is on 16 April and the site doesn’t store any order data, we chose to rollback through our daily backup and reupdate every plugin again.
Conclusion
For us, the best way in cyber security is prevention. But as the client using the plugin that got from GPL seller and the author of the plugin also does not display update notification, causes the clients and us to missed the critical update. As such to licensed the products is less price to pay than having website and company reputation lost because of the malware issues.
The best way to recover from this is by having a daily backup for sites that has stored customer information, Weekly or Monthly backup for static products pages that doesn’t use or store any customer data on the website.