Reg comments17

Small WordPress sites leaking like sieves

Login-stealing C&C server spotted

Zscaler's grab of the malicious login script

Wordpress admins hoping for some feet up time after last week's Twenty Fifteen XSS plugin vulnerability appear to have yet another vulnerability to handle.

Researchers at Zcaler have identified a bunch of compromised sites that are all leaking user credentials to the same target domain – conyouse.com hosts the command and control.

The researchers haven't yet identified which particular vulnerability is being used to invade the WordPress sites under attack. Most of the domains in their list look to El Reg like they're managed by individuals or small community groups (for example, if you know someone involved with the Blissfields Festival, or in the Glasgow Contemporary Choir, tell them they need to patch), so may not have the world's most most vigilant webmasters.

Zscaler's blog post notes: “The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain "conyouse.com" which is collecting all the credentials from these compromised sites.”

The vulnerable sites serve up login pages with JavaScript injected to do the credential-stealing. The code is in a wp.js file,

The obfuscated JavaScript code present in “wp.js” file can be seen here:

Zscaler's grab of the malicious login script

Part of the attack caught by Zscaler

Zscaler continues: “The form containing the username and password input box has a fixed name as ‘loginform‘ in all WordPress sites.

“The preventDefault event method is used to cancel the submit event for 'loginform' entity and execute the alternate code which is present in this file. The login credential string is serialised and encoded in a Base64 format.”

Get patching. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017