In my everyday malware reverse engineering experience i come across multiple websites injections by malware, these malware are very much unique and cannot be found easily using search strings . Recently i was given a task to clean malware from a infected website. The website was using the very famous wordpress cms, when i search the internet i found multiple exploits which can be used to upload a backdoor into any website which is vulnerable due to outdated Slider plugin.
Usually when i am cleaning malware from websites, i first start by looking for the vulnerability which was exploited to upload the malware in the site i was working on . In this case the exploit was published on exploit db. The exploitation done by malicious hackers is very interesting. The attack is done in 3 phases, In the first phase the attacker gathers information about the website is RevSlider exists, Usually RevSlider is packed with Themes which are sold by different websites, the end users is unaware about.
Below the attacker is looking for the file revicons.eot which is a part of RevSlider plugin.
“GET /wp-content/plugins/revslider/rs-plugin/font/revicons.eot HTTP/1.1″ 200
After the file is downloaded the attackers uses LFI vulnerability to download wp-config.php file which contains the DB connection string.
“GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.0″ 202
Now the malicious hacker has the wordpress db connection credentials he try to exploit the another vulnerability by POST request a backdoor send through update_plugin.
POST /wp-admin/admin-ajax.php HTTP/1.1″ 200 3059 “-”
Content-Disposition: form-data; revslider_ajax_action
update_plugin; name=”update_file”;…
Now the PHP backdoor shell is uploaded and a simple GET request will confirm this
“GET /wp-content/plugins/revslider/temp/update_extract/revslider/update.php HTTP/1.1″ 200 3623
“-”
The hacker has total control over your website now, it can be defaced or used for blackhat SEO.
Slider Revolution Exploit WordPress
http://www.exploit-db.com/exploits/35385/
It is recommended to always keep your site updated to lower down the risk of malicious hackers gain access to your website, Keep checking your apache / nginx logs if any suspicious activity found Immediate action is required from your end.
Please feel free to contact me through comment box below at any time if you feel your website is hacked. I will provide a solution to keep your site malware free.
UPDATE: This exploit was used by malicious hackers for Panama Leaks
Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause