Obfuscated Links in the Captcha on Login WordPress Plugin

Labs Note

Do you remember SweetCAPTCHA that tried to monetize its WordPress plugin injecting unwanted ads into web pages?

Today we’ve found another CAPTCHA plugin with a suspicious code. We cleaned a site and our scanner reported a suspicious obfuscated code inside the Captcha on Login plugin (45,000+ all time installs) files.

captcha-on-login/index.php
captcha-on-login/templates/report.php
captcha-on-login/templates/options.php

The obfuscation had strings like this:

...
${ "GL\x4f\x42\x41LS" }[ "\x64\x78cq\x70c\x6ax\x77\x6f\x63\x72" ]
...

When we see such things, we always try to decode them to figure out whether it’s legitimate or not.

...
public function options_page(){
$meu_link="http://vendacomtrafegogratuito [.]com .br";$meu_link2="hxxp://hotplus [.]net .br/plugin-hotlinks-plus/?clear";include("templates/options.php");
$meu_link="hxxp://vendacomtrafegogratuito [.]com .br";$meu_link2="http://hotplus [.]net .br/ plugin-hotlinks-plus/?clear";
}
...

Looks like that the owner of this plugin, called “Anderson Makiyama” is a Brazilian developer who is the owner of these affiliate marketing websites:
hxxp://hotplus .net .br/ plugin-hotlinks-plus/
hxxp://funildevendasparainiciante .com .br/ onde-divulgar-links-de-afiliados/

This plugin seems to be only showing these links inside the WordPress admin interface on the plugin options and report pages as “Other products of the author” (Outros Produtos do Autor). It’s maybe a bit annoying but doesn’t seem to be a big deal. It’s natural for plugin developers to pitch their other products (even such questionable ones) on the internal plugin pages (not visible to site users).

The only problem is that link injecting code is obfuscated. Not only does it result in warnings produced by security scanners, but this practice is considered unacceptable by the official WordPress Plugin Directory guidelines:

4. No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate....
...Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances.

It’s sad to see how plugins that are supposed to help stop hackers, actually do things that resemble what hackers do. Sometimes you can find such plugins even in the official WordPress plugin directory.

If you are looking for alternative solutions against brute force attacks, you can check our Website Firewall.

You May Also Like