WordPress redirect hack via Test0.com/Default7.com


Malicious redirect is a type of hacking in which website visitors are automatically redirected to a third party website: this is usually a malicious resource, a scam site, or a commercial site that is buying traffic. to cybercriminals (for example, counterfeit drugs or replica goods).

Types of malicious redirects

There are two main types of malicious redirects: server-side redirects and client-side redirects.

Server-side redirects take place before a visitor even loads a page. The most common techniques used by server-side redirect hacks are the “rewrite” rules in Apache. .htaccess files or PHP code injected into legitimate files.

Client-side redirects are initiated by visitors’ browsers after loading infected web pages. The most common client-side redirects are implemented via injected JavaScript code (unwanted ads or redirects to scam sites) or via the HTML “meta refresh” instruction (typical for phishing pages).

Most malicious redirects are conditional. This means that the redirect only happens when a certain condition is met. For example, search traffic redirects only occur when visitors come from Google search results or another search engine. Other common redirect conditions are:

  • Web browser type – The malware exploits a vulnerability in a certain browser, and hackers are not interested in visitors who use other types of browsers.
  • Mobile or not – Only mobile traffic can be redirected.
  • First visit or not – Malware typically lurks on subsequent visits to make it more difficult to detect and troubleshoot.
  • Default browser language – For example, some spam campaigns only redirect visitors whose browsers report Japanese or Korean as their preferred language.

WordPress redirect hack example

The following case from 2016 is a typical example of a server-side conditional WordPress redirect. Although the attack has not been active for three years, it shows the techniques most commonly used by hackers: malware in the theme’s header.php, conditions on first visit, and browser type. Additionally, it shows how hackers make redirects random, which makes detection difficult.

We have worked on a few WordPress sites with the same infection that randomly redirects visitors to malicious sites through the default7.com / test0.com / test246.com areas. In this article, we will provide you with a review of this attack, which our malware analyst investigated, Jean Castro.

Header injection.php

In all cases, the malware injects 10 to 12 lines of code at the top of the header.php current WordPress theme file:

Malicious injection in header.php

Once decoded, you see this main part of the malware:

Decoded malware
Decoded malware

The logic is simple. It redirects visitors to default7. com if this is their first visit to this site after infection, this defines the 896diC9OFnqeAcKGN7fW cookie for one year to track returning visitors. If it’s not search engine bots, it checks the user agent header.

Random WordPress redirects

Even for eligible visitors, redirects are hit or miss. The chances of the redirect are specified in the $ luck variable, which is currently set to 15%.

Default7.com is not the final redirect destination. Depending on the IP and the browser, the visitor is redirected further. We have detected that the following domains are used in redirect chains:

  • default7.com
  • test246.com
  • test0.com
  • distinctive .com
  • ableoccassion.com

Fake updates for Internet Explorer users

The most interesting scenario is when you are using Internet Explorer. In this case, the redirect chain might look like this:

default7 .com

 -> advertisementexample .com/d/p/test246.com?k=e88965c228fb1da3ff5ecff0d3034e7a.1462363771.823.1&r=

 -> maintainpc .soft2update .xyz/vtrescs?tyercv=5qe5FetFrItyco5HNTadzxMu9Nwdv__MlK_dmzyotoo.&subid=102860_bebd063b36f47778fce4592efccae37a&v_id=e5tsIAwpqr6ffJ2kShbqE1F3WXTIU4auGIx7jpVqifk.

 -> intva31 .saturnlibrary .info/dl-pure/1202331/31254524/?bc=1202331&checksum=31254524&ephemeral=1&filename=adobe_flash_player.exe&cb=-1388370582&hashstring=oZy9K7h7eaHC&usefilename=true&executableroutePath=1202245&stub=true

This leads to websites pushing the fake ones Sparkle and Java updates:

Fake Adobe Flash Player update

The above redirect chain ended with downloading the adobe_flash_player-31254524.exe file that has been recognized as malware by 27 antivirus vendors on VirusTotal.

Facebook side effect

There is an interesting side effect that can help reveal this infection. When you post a link to an infected site on Facebook, you may or may not see (or not since redirects are random) a snippet from another site – for example test0.com.

test0 .com redirect when sharing infectious site on Facebook
test0 .com redirect when sharing infectious site on Facebook

When you clean up the site, the Facebook link keeps redirecting to test0. com when people click on the link. Why? Because of the shared cache. It should be reset here.

Bugs in malware

There are other side effects of this malware caused by obvious bugs in the malicious code.

For example, in the decoded version you can see this line # 9:

if ($_GET['6FoNxbvo73BHOjhxokW3'] !== NULL) {

For some reason, the malware searches for the 6FoNxbvo73BHOjhxokW3 parameter, but does nothing if a GET queries contains it. This is not a problem though. The problem is that the code does not make sure that such a parameter exists before checking its value. In PHP, this causes a notice like this:

Note: Undefined index: 6FoNxbvo73BHOjhxokW3 in /home/account/public_html/wp-content/themes/currenttheme/header.php(8): code eval () online 9

Many servers turn off PHP notifications, so that’s not a big deal. Some still display them, and you can find infected sites just by Googling: “Notice: undefined index: 6FoNxbvo73BHOjhxokW3”. For me, Google is coming back 6420 results for this query.


If you check the results of the above query, you will see that most of them also mention errors in the theme. footer.php file:

Fatal error: Cannot redeclare enc () (previously declared in /home/account/public_html/wp-content/themes/currenttheme/header.php(8): eval () ‘d code: 56) in /home/account/public_html/wp-content/themes/currenttheme/footer.php(9): code eval () online 2

The reason is that this attack has already infected footer.php files where he injected similar obfuscated code at the top. This code declared functions with the same names as the malware in header.php. As a result, once the attack has passed to header.php (in April) and re-infected a site that had previously had these injections in footer.php, the PHP engine started to display errors regarding redeclared functions. In essence, the two header.php and footer.php were executed in the same context.

the footer.php variant of the malware was more sophisticated. It injected JavaScript code that would redirect visitors or create popups. It stored the encrypted redirect URL in the .SIc7CYwgY (or .SIc7CYwgY1) in the site root, or in /var/tmp/.SIc7CYwgY if the site root was not writable. It could also update the stored redirect URL using requests to an infected site including 8Yx5AefYpBp07TEocRmv like a GET setting. Nevertheless, they used the same default7.com domain (encrypted as: IyUOPGlbfjUHCiwgXwZ1aRIpFA ==) for redirects.

Joomla variant

The same research results show that this attack also affects Joomla sites where it injects the same code into the administrator / includes / help.php drop off.

Infection vector

In most cases, the infected sites had multiple vulnerabilities. The infection itself was one of a number of other infections in the environment (it was not an isolated event). In some cases, infection was the only infection and was in the active theme of the header.php drop off. This is a typical infection scenario when attackers gain access to the WordPress admin interface and can modify the current theme files directly from there.

Log analysis proved this hypothesis: - - [07/Apr/2016:13:01:35 -0400] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 268 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36" - - [07/Apr/2016:13:01:36 -0400] "GET /wp-admin/theme-editor.php?file=header.php&theme=Chameleon&scrollto=0&updated=true HTTP/1.1" 200 49057 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36" - - [07/Apr/2016:13:01:39 -0400] "GET /?6FoNxbvo73BHOjhxokW3=1&url=http%3A%2F%2Fdefault7.com&chance=7 HTTP/1.1" 200 22 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

For example, this log snippet shows how someone with an IP address from Singapore logged into the site and went straight to the theme editor to edit the header.php drop off. Then a few seconds later the same person used loop to check the injection using the 6FoNxbvo73BHOjhxokW3 parameter, which is known only to the attacker.

An easy way to fix this is to turn off the ability for users to edit PHP files through wp-admin (good source on WPBeginner). You can do this by adjusting your wp-config.php file with the following snippet:

# Disable Theme Editing

define( 'DISALLOW_FILE_EDIT', true );

That is why, after removing the malware, it is important to change all passwords, scan for malicious administrator accounts, and of course make sure that WordPress and all third-party themes and plugins are up to date. day. We have a more comprehensive list of the steps you can take after the compromise, and you can also find specific post-hack steps in the post-hack section of our free WordPress security guide. If your website is hacked, we can clean and protect it for you.

Source link


Comments are closed.