Can confirm this malware also affected my (up-to-date) website. Affected several files (probably random ones) including index.php, with the same redirect effect.
Here’s a list of the files that were modified on that day:
May 18 14:02
(WP dir)/wp-content/plugins/pluginsamonsters/data/index.php
May 18 14:02
(WP dir)/wp-content/plugins/pluginsamonsters/file.txt
May 18 14:02
(WP dir)/wp-content/plugins/pluginsamonsters/pluginsamonsters.php
May 18 15:56 (WP dir)/wp-content/wpplugdata.php
May 18 16:00 (WP dir)/wp-includes/wpcfgdata.php
May 18 23:11
(WP dir)/71ba5704c07aec55402cb7d674cb5783
May 18 23:36 (WP dir)/index.php
These are the original requests that came in at this exact time:
192.0.118.80 - - [18/May/2018:14:02:56 +0000] "POST
/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1×tamp=1526652174&nonce=uWZCunBY4i&body-hash=FLNF91tE7%2FP9uGGBbT2YAcWsn4E%3D&signature=M3GDps7X9UNzaO96bD5V5iER7xk%3D
HTTP/1.1" 200 343
"http://(site name).com/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1×tamp=1526652174&nonce=uWZCunBY4i&body-hash=FLNF91tE7%2FP9uGGBbT2YAcWsn4E%3D&signature=M3GDps7X9UNzaO96bD5V5iER7xk%3D"
"Jetpack by WordPress.com"
192.0.112.146 - - [18/May/2018:14:02:59 +0000] "POST
/wp-admin/admin-ajax.php?token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1×tamp=1526652177&nonce=Ykai3fBvSX&body-hash=FprKkZ6nIK6lOYEpkmGDmaH9aWY%3D&signature=QAttoXUYa7rovlGTayTlK0%2B8NrY%3D
HTTP/1.1" 200 142 "-" "Jetpack by WordPress.com"
192.0.112.146 - - [18/May/2018:14:03:02 +0000] "POST
/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1×tamp=1526652179&nonce=04pXRYvOWX&body-hash=ZWYgYC%2FJ2nUvDLk7xa1ecrtIxP8%3D&signature=5mPazqD%2Br1NptCEqRFF7Kq0%2BWR0%3D
HTTP/1.1" 200 625
"http://(site name).com/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1×tamp=1526652179&nonce=04pXRYvOWX&body-hash=ZWYgYC%2FJ2nUvDLk7xa1ecrtIxP8%3D&signature=5mPazqD%2Br1NptCEqRFF7Kq0%2BWR0%3D"
"Jetpack by WordPress.com"
-
This reply was modified 2 years, 9 months ago by
drjedd.
Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.
@drjedd It doesn’t appear those requests are *directly* related to the installation of a rogue plugin on your website. If you want to pursue this more, start another thread and lets have a looksee.
Hello again,
If anyone is experiencing a similar experience, I did some searching and found this likely explanation for how the malware got plugin access:
An attacker will sign in to a WordPress.com account using compromised credentials.
If that account on WordPress.com is set up to manage any WordPress.org WordPress installations via the Jetpack plugin, the attacker will use that access to install a malicious “pluginsamonsters” plugin on the target site.
The plugin gives the attacker full control of the target website and the site is now compromised. The plugin is visible on the WordPress.com dashboard but is invisible on the target WordPress site’s plugin list when active. (It is visible when deactivated)
For this attack to occur, the following conditions need to be met:
The site owner must have Jetpack installed.
Jetpack must be configured to allow the site to be managed from a WordPress.com account.
The WordPress.com account must have compromised credentials. This usually happens when you have reused an email/password combination on another site or service that has been compromised.
he WordPress.com account must not have two factor authentication enabled.
Source: https://www.facebook.com/CVTF.StudiosDOTnet/posts/10160479953070165
This matches with my case as I had JetpPack installed and a somewhat lower-than-ideal security password for my wordpress.com account (I must have set it up prior to using a password manager)
For those who have been affected, I recommend setting up two-factor authentification on WordPress.com or decouple the wordpress.com account from your site altogether.
To clean up you will need server log to check which file was affected (some random files, index.php which contains an encoded redirect script, and especially the /pluginsamonster/ directory which contains a direct server upload script anyone can use). I’m just going for a fresh reinstall with all the latest security buffs.
Have a good one,
jedd
-
This reply was modified 2 years, 9 months ago by
drjedd. Reason: Actual quote not just link
Thanks for that @drjedd. This most certainly is what is being exploited via Jetpack related to @finou314’s original inquiry.