Malware – Pluginsamonsters

finou314
(@finou314)

2 years, 9 months ago

Hello,
Sorry for this message in English translated from French from Google Translate …
I have for some time a malware that redirects one of my blogs wordpress. The index.php file is infected with code 64. In WordPress I see an unknown plugin: pluginsamonsters that is installed.
Wordfence warns me that jsquery.php has been changed.
I reinstalled my database and a new wordpress but the malware comes back.
How to get rid of it?

Best regards

—–

Bonjour,
Désolé pour ce message en anglais traduit du français depuis Google Traduction…
J’ai depuis quelques temps un malware qui redirige un de mes blogs wordpress. Le fichier index.php est infecté avec un code 64. Dans WordPress je vois un plugin inconnu : pluginsamonsters qui est installé.
Wordfence me signale que jsquery.php a été modifié.
J’ai réinstallé ma base et un nouveau wordpress mais le malware revient.
Comment m’en débarrasser ?

Bien cordialement

Viewing 5 replies - 1 through 5 (of 5 total)

drjedd
(@drjedd)

2 years, 9 months ago
Can confirm this malware also affected my (up-to-date) website. Affected several files (probably random ones) including index.php, with the same redirect effect.

Here’s a list of the files that were modified on that day:

May 18 14:02
(WP dir)/wp-content/plugins/pluginsamonsters/data/index.php
May 18 14:02
(WP dir)/wp-content/plugins/pluginsamonsters/file.txt
May 18 14:02
(WP dir)/wp-content/plugins/pluginsamonsters/pluginsamonsters.php
May 18 15:56 (WP dir)/wp-content/wpplugdata.php
May 18 16:00 (WP dir)/wp-includes/wpcfgdata.php
May 18 23:11
(WP dir)/71ba5704c07aec55402cb7d674cb5783
May 18 23:36 (WP dir)/index.php

These are the original requests that came in at this exact time:
```
192.0.118.80 - - [18/May/2018:14:02:56 +0000] "POST
/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1&timestamp=1526652174&nonce=uWZCunBY4i&body-hash=FLNF91tE7%2FP9uGGBbT2YAcWsn4E%3D&signature=M3GDps7X9UNzaO96bD5V5iER7xk%3D
HTTP/1.1" 200 343
"http://(site name).com/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1&timestamp=1526652174&nonce=uWZCunBY4i&body-hash=FLNF91tE7%2FP9uGGBbT2YAcWsn4E%3D&signature=M3GDps7X9UNzaO96bD5V5iER7xk%3D"
"Jetpack by WordPress.com"
```
```
192.0.112.146 - - [18/May/2018:14:02:59 +0000] "POST
/wp-admin/admin-ajax.php?token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1&timestamp=1526652177&nonce=Ykai3fBvSX&body-hash=FprKkZ6nIK6lOYEpkmGDmaH9aWY%3D&signature=QAttoXUYa7rovlGTayTlK0%2B8NrY%3D
HTTP/1.1" 200 142 "-" "Jetpack by WordPress.com"
```
```
192.0.112.146 - - [18/May/2018:14:03:02 +0000] "POST
/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1&timestamp=1526652179&nonce=04pXRYvOWX&body-hash=ZWYgYC%2FJ2nUvDLk7xa1ecrtIxP8%3D&signature=5mPazqD%2Br1NptCEqRFF7Kq0%2BWR0%3D
HTTP/1.1" 200 625
"http://(site name).com/xmlrpc.php?for=jetpack&token=%25ZV%25e%2AyVgCkodv7ZoA4KO9jn7%24c5LdSL%3A1%3A1&timestamp=1526652179&nonce=04pXRYvOWX&body-hash=ZWYgYC%2FJ2nUvDLk7xa1ecrtIxP8%3D&signature=5mPazqD%2Br1NptCEqRFF7Kq0%2BWR0%3D"
"Jetpack by WordPress.com"
```
- This reply was modified 2 years, 9 months ago by drjedd.
Moderator Steven Stern (sterndata)
(@sterndata)

Forum Moderator & Support Team Volunteer

2 years, 9 months ago

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

te_taipo
(@te_taipo)

2 years, 9 months ago

@drjedd It doesn’t appear those requests are *directly* related to the installation of a rogue plugin on your website. If you want to pursue this more, start another thread and lets have a looksee.
drjedd
(@drjedd)

2 years, 9 months ago
Hello again,

If anyone is experiencing a similar experience, I did some searching and found this likely explanation for how the malware got plugin access:

An attacker will sign in to a WordPress.com account using compromised credentials.
If that account on WordPress.com is set up to manage any WordPress.org WordPress installations via the Jetpack plugin, the attacker will use that access to install a malicious “pluginsamonsters” plugin on the target site.
The plugin gives the attacker full control of the target website and the site is now compromised. The plugin is visible on the WordPress.com dashboard but is invisible on the target WordPress site’s plugin list when active. (It is visible when deactivated)

For this attack to occur, the following conditions need to be met:

The site owner must have Jetpack installed.
Jetpack must be configured to allow the site to be managed from a WordPress.com account.
The WordPress.com account must have compromised credentials. This usually happens when you have reused an email/password combination on another site or service that has been compromised.
he WordPress.com account must not have two factor authentication enabled.

Source: https://www.facebook.com/CVTF.StudiosDOTnet/posts/10160479953070165

This matches with my case as I had JetpPack installed and a somewhat lower-than-ideal security password for my wordpress.com account (I must have set it up prior to using a password manager)

For those who have been affected, I recommend setting up two-factor authentification on WordPress.com or decouple the wordpress.com account from your site altogether.

To clean up you will need server log to check which file was affected (some random files, index.php which contains an encoded redirect script, and especially the /pluginsamonster/ directory which contains a direct server upload script anyone can use). I’m just going for a fresh reinstall with all the latest security buffs.

Have a good one,

jedd
- This reply was modified 2 years, 9 months ago by drjedd. Reason: Actual quote not just link
te_taipo
(@te_taipo)

2 years, 9 months ago

Thanks for that @drjedd. This most certainly is what is being exploited via Jetpack related to @finou314’s original inquiry.