{"id":82306,"date":"2016-03-09T10:23:53","date_gmt":"2016-03-09T04:53:53","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=82306"},"modified":"2016-03-30T19:55:59","modified_gmt":"2016-03-30T14:25:59","slug":"compromised-wordpress-websites-redirect-users-to-malicious-domains","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/compromised-wordpress-websites-redirect-users-to-malicious-domains\/","title":{"rendered":"Compromised WordPress websites redirect users to malicious domains"},"content":{"rendered":"<p>Of late, popular content management system (CMS) WordPress has been in the news for being targeted by hackers. Several websites built on WordPress are facing the brunt due to unpatched vulnerabilities and default configuration issues.<br \/>\n<strong>Below are some attacks which were perpetrated using compromised WordPress websites:<\/strong><\/p>\n<ul>\n<li>Backdoors (<em>means to access a computer by bypassing normal authentication<\/em>)<\/li>\n<li>Drive-by downloads (<em>refer to unintentional download of malware on a device<\/em>)<\/li>\n<li>Pharma hacks (<em>exploits that take advantage of WordPress vulnerabilities; cause search engines to serve unwanted ads for pharmaceutical products<\/em>)<\/li>\n<li>Malicious redirects (<em>redirecting the user to infected and compromised websites<\/em>)<\/li>\n<\/ul>\n<p>Quick Heal Labs has registered a spike in WordPress infections during the last few weeks. These are related to injected malicious obfuscated (<em>unclear<\/em>) JavaScript code. We found an instance of a malicious redirection on a compromised WordPress website. It\u2019s still unclear about the method used by the attackers to compromise the site. But, it is certain that WordPress and its plugins are plagued by several vulnerabilities that can be exploited for this purpose.<\/p>\n<p>The below figure shows what an injected malicious obfuscated JavaScript looks like.<\/p>\n<figure id=\"attachment_82459\" aria-describedby=\"caption-attachment-82459\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure-11-e1459347476896.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-82459 size-full\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure-11-e1459347476896.png\" alt=\"Figure 1. Obfuscated Injected JavaScript\" width=\"600\" height=\"345\" \/><\/a><figcaption id=\"caption-attachment-82459\" class=\"wp-caption-text\">Figure 1. Obfuscated Injected JavaScript<\/figcaption><\/figure>\n<p>When de-obfuscated, the code looks like this:<\/p>\n<p><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure-21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-82462 size-full\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure-21-e1459347614312.png\" alt=\"Figure 2\" width=\"600\" height=\"447\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 2. De-obfuscated JavaScript<\/p>\n<p>The de-obfuscated code loads an iFrame tag which is responsible for redirecting the victim to a malicious website. The function \u2018dpi\u2019 after execution results in the below URL:<\/p>\n<p>&nbsp;<\/p>\n<p><em>hxxp:\/\/div-class-container[.]ru\/m\/<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>VirusTotal Report: <a href=\"https:\/\/www.virustotal.com\/en\/url\/a732aa816d471b142610efdf1eb63ba3d60335707a4ac826c7b966efa9da119c\/analysis\/\">4\/67<\/a><\/p>\n<p>The iFrame loads the above URL and redirects users to it.<\/p>\n<p><strong>Network Activity<\/strong><\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure31.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-82465 size-large\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure31-1024x61.jpg\" alt=\"\" width=\"700\" height=\"61\" \/><\/a><br \/>\nFigure 3. Network Activity<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure41.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-82468\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2016\/03\/Figure41.jpg\" alt=\"Figure 4\" width=\"783\" height=\"348\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/03\/Figure41.jpg 783w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/03\/Figure41-300x133.jpg 300w\" sizes=\"(max-width: 783px) 100vw, 783px\" \/><\/a>Figure 4. Network Activity<\/p>\n<p>During analysis, the malicious domain was not serving any malicious content. But, we have reasons to believe that it will.<\/p>\n<p><strong>Domain Information<br \/>\n<\/strong>Domain: div-class-container[.]ru<br \/>\nVirusTotal Report: <a href=\"https:\/\/www.virustotal.com\/en\/url\/3348bb78b8e94ece3f7b6fcdaaf02f293ec8cc9c965f015bef6b3261c3dd9227\/analysis\/\" target=\"_blank\">1\/67<\/a><\/p>\n<p><strong>IP Information<br \/>\n<\/strong>IP Address: 193.201.227.193<br \/>\nLocation: Ukrain<br \/>\nVirusTotal IP Information: <a href=\"https:\/\/www.virustotal.com\/en\/ip-address\/193.201.227.193\/information\/\" target=\"_blank\">Report<\/a><\/p>\n<p>According to VirusTotal, some of the other domains listed on the above IP are:<\/p>\n<ul>\n<li>www.news-cloud[.]ru<\/li>\n<li>www.wp-cloud[.]ru<\/li>\n<li>div-class-container[.]ru<\/li>\n<li>news-cloud[.]ru<\/li>\n<li>wp-cloud[.]ru<\/li>\n<\/ul>\n<p><strong>Safety Measure for WordPress Users<\/strong><\/p>\n<ul>\n<li>Update WordPress to the latest version<\/li>\n<li>Web-server hosting WordPress should be up-to-date<\/li>\n<li>Default admin login credentials (username\/password) should be changed to unique and strong credentials<\/li>\n<li>FTP server must have strong credentials<\/li>\n<li>Use SFTP for file transfer to web servers<\/li>\n<li>Maintain proper directory\/files permission to WordPress files<\/li>\n<li>Backup your website daily<\/li>\n<li>Secure your wp-config.php file<\/li>\n<li>Disable file editing in the dashboard by adding the following to your wp-config.php file<br \/>\ndefine (\u2018DISALLOW_FILE_EDIT\u2019, true);<\/li>\n<li>Install WordPress File Monitor Plus to receive notifications every time your files are edited<\/li>\n<\/ul>\n<p>The iFrame redirection technique for redirecting users to malicious domains is well-known and widely used by attackers. Given the heavy usage of WordPress websites across the world, they can be used by hackers to trigger a mass infection in today\u2019s cyber space. We strongly recommend the implementation of the safety measures listed above.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #666666;\">ACKNOWLEDGMENT<br \/>\n<\/span><strong>Subject Matter Expert<\/strong><\/p>\n<ul>\n<li>Aparna Pal<\/li>\n<\/ul>\n<p>&#8211; Threat Research &amp; Response Team, Quick Heal<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Of late, popular content management system (CMS) WordPress has been in the news for being targeted by hackers. Several websites built on WordPress are facing the brunt due to unpatched vulnerabilities and default configuration issues. Below are some attacks which were perpetrated using compromised WordPress websites: Backdoors (means to access a computer by bypassing normal [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":82439,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[164,36],"tags":[1217,77,1218,1219],"class_list":["post-82306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-crime","category-security-patch","tag-backdoors","tag-drive-by-download","tag-drive-by-downloads","tag-wordpress-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/82306"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=82306"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/82306\/revisions"}],"predecessor-version":[{"id":82492,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/82306\/revisions\/82492"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/82439"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=82306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=82306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=82306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}