Hello Members,
A group of hackers exploits vulnerabilities in over ten WordPress plugins, creating fake administrator accounts on WordPress sites across the network.
The attacks escalated a hacking campaign that began a month ago.
In previous attacks, hackers exploited vulnerabilities in the same plugins to inject malicious code into hacked sites.
This code aimed to show pop-up ads or redirect visitors to other websites.
However, two weeks ago, the same group of hackers behind these attacks changed tactics and modified the code injected into the compromised sites.
Instead of simply inserting ads or redirects, the code also executed a function to test whether the site visitor could create user accounts on the site and whether the user had a WordPress administrator profile.
The code waited for the administrator to access their websites, and when it did, the code created a new administrator account called wpservices.
After this campaign, the group of hackers changed tactics when creating these accounts to exploit the sites to obtain economic income and incidentally add backdoors to use them in the future for other purposes.
These attacks exploit vulnerabilities of the following plugins:
Once you update the plugins, check the list of users to see if there is a rare administrator, such as the one I have placed above, or any other that should not be there. If you find any, delete them without mercy.
If you have more problems, such as injected code or strange behaviors, hire a professional to clean your installation. Don't make any more excuses; hire a professional WordPress maintenance service to avoid these problems in the future.
Regards,
Nhtadmin
A group of hackers exploits vulnerabilities in over ten WordPress plugins, creating fake administrator accounts on WordPress sites across the network.
The attacks escalated a hacking campaign that began a month ago.
In previous attacks, hackers exploited vulnerabilities in the same plugins to inject malicious code into hacked sites.
This code aimed to show pop-up ads or redirect visitors to other websites.
However, two weeks ago, the same group of hackers behind these attacks changed tactics and modified the code injected into the compromised sites.
Instead of simply inserting ads or redirects, the code also executed a function to test whether the site visitor could create user accounts on the site and whether the user had a WordPress administrator profile.
The code waited for the administrator to access their websites, and when it did, the code created a new administrator account called wpservices.
After this campaign, the group of hackers changed tactics when creating these accounts to exploit the sites to obtain economic income and incidentally add backdoors to use them in the future for other purposes.
These attacks exploit vulnerabilities of the following plugins:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
- Form Lightbox
- Hybrid composer
- All plugins that were from NicDark nd-booking nd-travel nd-learning
In the list of plugins you have the link to their respective vulnerability, so you can check which version you have to update to be safe, if you use any of them.
Once you update the plugins, check the list of users to see if there is a rare administrator, such as the one I have placed above, or any other that should not be there. If you find any, delete them without mercy.
If you have more problems, such as injected code or strange behaviors, hire a professional to clean your installation. Don't make any more excuses; hire a professional WordPress maintenance service to avoid these problems in the future.
Regards,
Nhtadmin