Today on 2nd of May 2021 we have found out that one of our client websites has been displaying malicious behaviour. The details can be read here.
And as we continue do the full scanning on the site, we found out that index.php and .htaccess has been modified by the attackers.
For comparison between the clean one, and the injected (malicious) one is as per image below;
As you can see in the injected wordpress index.php files, it contain redirection code, SEO Code and some other authentication probably to CnC server for further communication and injection stage. We suspected that this happened becaused of the following Critical Plugin Vulneribility which detected by using WpScan Plugin by wpscan.com.
The suspected plugin (version used during the incident) is as per below list:
- Elementor – Header, Footer & Blocks (v1.5.7) – DetailsĀ
- Happy Elementor Addons (v2.22.1) – Details
- Happy Elementor Addons Pro (v 1.15.0) – Details
- The Plus Addons for Elementor Page Builder Lite (v 2.0.5) – Details
During the writing of this blog, all of the plugin developer has released a patch to fix this. All the vulneribility listed, may related to the vulnerability patched earlier on the main Elementor Plugin which also has been fixed. The details about main Elementor vulneribility can be found on wordfence blog here.
We have cleansed up the customer site by updating the impacted plugin, replacing index.php and regenerate htaccess.