Skimmers and other threat actors are backdooring websites, and WordPress instances in particular, according to a recently released report.
Researchers at Sucuri say attackers have developed methods to make sure that their grip on the infected site is not easily removed by applying the next update. They create a backdoor for themselves so they can easily take back control and insert their own code.
WordPress as a target
WordPress, the most popular web content management system (CMS), has seen its fair share of plugins that leave online shoppers vulnerable.
One common mistake website owners often make is to leave their CMS unpatched thinking they are not an interesting target. In many cases, users may choose not to apply security updates for fear of introducing bugs or even stop a website from loading properly. This behavior creates the perfect opportunity for online criminals to exploit known vulnerabilities on a large scale.
However, the research by Sucuri shows that even site owners that patch promptly are not safe from certain threat actors.
Creating a backdoor
To make sure they can stay inside the site once they're in, the threat actors create a backdoor that either re-inserts the malicious code or allows the threat actor access to do it manually. Attackers have developed different methods for protecting their work.
In most cases of this type of infection, we will find a modified index.php which in some cases automatically regenerates itself through a malicious process running in the background. The persistent, running processes on the server are what allows the malware to automatically and immediately reinfect the site once the infection is removed. Even on non-WordPress sites the attackers will replace index.php with an infected copy of the WordPress index.php file.
In other cases, the researchers found hundreds or sometimes thousands of infected .htaccess files scattered throughout the website directories. These are designed to prevent custom PHP files or tools from running on the site in case there’s mitigation already in place.
In other cases you may find a modified wp-includes/plugin.php file designed to re-create the index.php and .htaccess. But even though plugin.php is a common point of attack, similar code has been found in other core files.
Identifying and cleaning the problem
Malicious code on your website can be planted there for various reasons, such as for card skimming or spreading malware. To keep an eye on your site, the following areas are important:
- File integrity, make sure that your core files can’t be changed without you being aware of the changes. One option to do this is file integrity monitoring through active server-side scanners.
- Logging. All important changes on your site should be visible in logs. New plugins, updates of the CMS and plugins, and file changes should be monitored. If you do not recognize them as something you implemented, then investigate them.
This Sucuri blog has elaborate instructions on how to remove these infections, should you find your site has fallen victim to these threat actors.
Protecting your site
For website owners there are some guidelines to stay safe from these practices.
- Put your website behind a firewall. Or take other measures that restrict access to the wp-admin area to only specific IP addresses.
- Regularly change all admin passwords associated with your site. This includes the admin dashboard, CPanel/FTP, ssh and email. Where possible enable MFA.
- Keep all plugins, themes and your CMS up to date at all times and remove any unneeded plugins or themes. Speed is important. Attackers are always aware of the latest vulnerabilities and will scan the Internet for unpatched sites to hijack, sometimes within hours of a patch being made available.
You can read more in our article: How to defend your website against card skimmers.
For visitors of shopping sites, take as many precautions as possible. There are browsers and browser configurations that will help you against falling victim to skimmers, malicious redirects, and other unwelcome code on a site you are visiting.
Stay safe, everyone!