In April 2023, a surge in the use of an outdated WordPress plugin called Eval PHP was reported by Sucuri, a website security firm. The plugin allows site administrators to embed PHP code on WordPress pages and posts and execute the code when the page is opened in the browser. Although the plugin has not been updated in over a decade, it is still available through the WordPress plugins repository, making it easy for attackers to exploit its vulnerabilities. This report explores how attackers are using Eval PHP to inject stealthy backdoors into websites, compromising their security.
The Modus Operandi of Attackers Using Eval PHP
The attackers inject malicious code into the targeted website's database, specifically into the 'wp_posts' table, making it harder to detect as it evades standard website security measures such as file integrity monitoring, server-side scans, etc. To accomplish this, the attackers use a compromised or newly created administrator account to install Eval PHP, allowing them to insert PHP code into pages and posts of the breached site using [evalphp] short codes.
The main advantage of this method compared to conventional backdoor injections is that Eval PHP can be reused to reinfect cleaned sites while keeping the point of compromise hidden. When the code is executed, it drops a backdoor (3e9c0ca6bbe9.php) in the root of the website and the name of the backdoor may vary from attack to attack. Installation of the malicious Eval PHP plugin is triggered from the IP addresses 91[.]193[.]43[.]151, 79[.]137[.]206[.]177, and 212[.]113[.]119[.]6.
The backdoor does not use POST requests for C2 communication to evade detection but, instead, passes data through cookies and GET requests without visible parameters. Additionally, the malicious [evalphp] short codes are planted in saved drafts hidden in the SQL dump of the "wp_posts" table and not on published posts. This is still enough to execute the code that injects the backdoor into the website's database.
Why does this Matter?
The use of outdated plugins can lead to serious security vulnerabilities in WordPress sites. Attackers are exploiting this vulnerability by injecting malicious code into the targeted website's database using an outdated WordPress plugin called Eval PHP. The plugin allows site administrators to embed PHP code on WordPress pages and posts and execute the code when the page is opened in the browser, leading to the backdoor (3e9c0ca6bbe9.php) being dropped.
How to Protect Yourself
A crucial step in ensuring website security is to regularly monitor website activity and database changes. This includes checking for suspicious login attempts, monitoring for changes to critical files and database tables, and reviewing website logs for any abnormal behaviour.
Additionally, website owners should limit access to the website's admin panel to only trusted individuals and implement strong password policies to prevent unauthorized access. It is also recommended to regularly back up website data to minimize the impact of a potential attack.
In the case of an attack using Eval PHP, the first step is to identify the malicious plugin and remove it from the website. This can be accomplished by disabling and deleting the Eval PHP plugin, removing any associated short codes from website pages and posts, and manually searching the website's database for any instances of the backdoor code.
Once the malicious code has been removed, website owners should perform a thorough scan of the website to ensure no other vulnerabilities or malware are present. This may involve using a web application firewall to monitor incoming traffic, conducting server-side scans, and reviewing website logs for any suspicious activity.
The Importance of Delisting Old and Unmaintained Plugins
Sucuri suggests that old and unmaintained plugins like Eval PHP should be delisted from the WordPress plugin repository to prevent threat actors from abusing them for malicious purposes. However, until the responsible parties act, website owners are advised to secure their admin panels, keep their WordPress installation up to date and use a web application firewall to reduce the risk of a successful attack.
The Need for a Proactive Approach to Website Security
The use of Eval PHP to inject malicious code into WordPress sites highlights the dangers of using outdated plugins. Site owners must ensure they keep their plugins up to date and carefully vet any new plugins they install. A proactive approach to website security is crucial, and regularly scanning for vulnerabilities and implementing security measures like web application firewalls can help reduce the risk of a successful attack.
While it is important to take proactive measures to prevent attacks, it is equally important to have a plan in place in case of a security breach. Website owners should have a clear incident response plan outlining steps to take in the event of a security breach, including how to identify and isolate the affected system, remove the malicious code, and restore the website to a secure state.
In conclusion, the use of outdated plugins like Eval PHP highlights the importance of taking a proactive approach to website security. Website owners must ensure they keep their plugins up to date, carefully vet any new plugins they install, limit access to the website's admin panel and implement strong password policies to prevent unauthorized access. Regularly monitoring website activity and database changes, and having an incident response plan in place can also help minimize the impact of a potential attack.
Sucuri's suggestion of delisting old and unmaintained plugins like Eval PHP from the WordPress plugin repository is a step in the right direction. However, website owners must take responsibility for their website's security and take the necessary steps to ensure their website remains secure from potential attacks.