Skip to main content

Backdoor Found in WordPress Plugin


For the past two and a half months, a WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites across the Internet.

The backdoor code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2).

The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository. At the time it was removed, the plugin was installed on more than 200,00 sites, albeit we cannot be sure how many of these were updated to a version that included the malicious behavior.

More surprising is that WordPress.org staff members removed the plugin three times before for similar violations. A history of events is compiled below, put together with data aggregated from three different investigations by David LawWhite Fir Design, and Wordfence.

Plugin sold to new developer in May

The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites.

Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase.

A month after buying the plugin in May, its new owner released a first new version — v2.6.0 — on June 21.

First takedown

A day later, David Law, an SEO consultant and the author of a competing plugin named Display Widgets SEO Plus, sent an email to the WordPress.org team informing them that version 2.6.0 was breaking WordPress plugin rules by downloading over 38MB of code from a third-party server.

According to Law, this 38MB code contained tracking features that logged traffic on websites using the Display Widgets 2.6.0. The extra code was collecting data such as user IP addresses, user-agent strings, the domain where the data was collected, and the page the user was viewing. The plugin was also sending this information to a third-party server.

Other users also spotted this behavior and reported the issue via the plugin's support forum on WordPress.org.

Following Law's report, the WordPress.org team removed the plugin from the WordPress Plugins repository the following day.

Second takedown

A week later, on July 1, the plugin's new author managed to reinstate the plugin and release a new version — v2.6.1. This version integrated the 38MB file (geolocation.php) inside the plugin, to avoid breaking WordPress.org rules which say that plugins cannot download code from third-party servers.

Law, who was already keeping an eye on the plugin, again contacted the WordPress.org staff about the plugin. This time around, he reported that the plugin was now featuring a malicious backdoor that allowed the plugin's owner to connect to remote sites and create new pages or posts. The user traffic logging feature was also still present.

A day later, the plugin was removedfrom the official WordPress Plugins repository for the second time in a week.

Third takedown

Undisturbed by all the takedowns, the plugin's new author tried his luck again. According to a plugin changelog, the new author published version 2.6.2 to the WordPress Plugins repository on July 6.

For a few days, the plugin appears to have stopped all malicious behavior. Unfortunately, this did not last. On July 23, a user named Calvin Ngan filed complaints [12] with the WordPress staff, accusing the plugin of "[creating] undetectedable [sic] pages with spammy links."

Just like Law did before, Ngan says he tracked the malicious behavior to the geolocation.php file, added by the plugin's new author in version 2.6.1.

Investigators discovered that this version was creating new pages where it inserted links to other sites. These pages and blog posts did not appear in the backend administration panel. Furthermore, the plugin also hid these spammy pages from logged in users (usually site admins). Only logged out users — normal site visitors — were shown these new pages.

To create these secret posts, the plugin contacted a remote domain from where it retrieved the content it was supposed to insert in the page. Wordfence has tracked the plugin contacting the following domains, all hosted on the same server at 52.173.202.113:

stopspam.io registered July 2, 2017 w-p.io registered July 11, 2017 geoip2.io registered July 24, 2017 maxmind.io registered July 24, 2017

A day later after Ngan's report, the WordPress team removed the Display Widgets plugin from the official site for the third time.

Fourth takedown

Once more, the new authors did not give up. On September 2 they upload version 2.6.3 to the WordPress repository.

Lo and behold, this version was also malicious because on September 7, another user complained once more about the plugin inserting spammy links into his site.

In two replies [12] posted on the plugin's support topic, two people posting from the plugin's official account tried to downplay the incident, claiming their sites were hacked because when users combined the geolocation.php code with other plugins, they opened their sites to exploitation.

Hi,
The other admin here. Unfortunately the addition of the GEO Location made the software vulnerable to a exploit if used in conjunction with other popular plugins.
The latest update fixed and sanitised the vulnerability. A simple empty of the cache & clearing of the wp_options table (if affected) should remove that post.
Again i apologise. But this should fix it. We estimate only around 100 or so sites to be comprimised.
Thanks
DW

Plugin removed for good

The plugin was once again removed from the WordPress.org Plugins repository on September 8, for the fourth time. This time, the removal seems to be permanent.

WordPress.org staff appear to have taken over the plugin and have released version 2.7.0 that includes the exact same code from version 2.0.5, the plugin's last clean version, before it was sold to a new owner.

The plugin is not available on the WordPress.org official site anymore, meaning it's not available for new installs, but the update will appear in the backends of WordPress sites where the plugin is still installed.

Plugin bought by company specialized in buying old plugins

The Wordfence team, led by its CEO Mark Maunder, has also invested some time into tracking down who was behind the backdoor attacks.

Maunder says he tracked down the plugin's new buyer to a service called WP Devs. As the company's site states on his homepage, they are a service that buys old and abandoned plugins, currently being in the possession of 34 other plugins.

According to Maunder's investigation, WP Devs appear to be run by two persons, one from the US and one he believes is based in Russia.

Maunder also reached out to one of the WP Devs owners, who claimed that he bought the plugin for $15,000 and later resold it for $20,000 to a company in California that forced him to sign a non-disclosure agreement (NDA) that now prevents him from saying more. It is unclear if the WP Devs spokesperson was telling the truth, at the time of writing.

Maunder also points out that whoever was behind the four Display Widgets malicious versions inserted the backdoor code intentionally and this doesn't appear to be the case where someone copy-pasted malicious code from another project by accident.

He bases his assumption on the fact that version 2.6.3 (the last malicious version) also included a bugfix in the backdoor code, meaning the plugin's new author knew exactly what he was doing.

WordPress.org staffers are being called out

The Wordfence CEO also asked the WordPress community to be kind and understanding with the WordPress staff regarding this recent incident, despite malicious behavior being discovered four times in the same plugin.

"Please note that many of the forum moderators and plugin repository maintainers are volunteers," Maunder says. "Please do not judge them harshly – in general they do a pretty darn good job of keeping an extremely large repository and support forum system running smoothly for the most popular CMS on earth."

On the other hand, White Fir Design and David Law do not see it that way. Law especially, since he was admonished by a WordPress moderator who closed one of his reports on the grounds of "not [being] fine to go to that other plugin['s support forum] and speculate that way."

White Fir Design representatives, who run the Plugin Vulnerabilities blog, would also like to see WordPress simplify the process of reporting security issues and some accounting on the side of WordPress.org maintainers.

"What this situation really calls for is a full accounting of what happened on the WordPress side, because the bits and pieces we have so far seem to indicate things went very wrong," the White Fir Design team said. "Without knowing want went wrong it seems unlikely the problems will get fixed, so that when another plugin gets taken over by someone with malicious intent the damage caused does not go on like it did with this for several months."

UPDATE [September 13, 16:55 ET]:Wordfence researchers have continued to dig into the new owners of the Display Widgets plugin, and they believe to have identified the person behind the plugin. They say he is the same person behind the hijacking of the 404 to 301 WordPress plugin, also used to show spam links and content on third-party sites without their owners' knowledge.

Comments

Popular posts from this blog

Windows 10 now on 600 million machines.

Microsoft CEO Satya Nadella told shareholders that Windows 10 has now passed 600 million monthly active users, picking up 100 million since May of this year. This number counts all Windows 10 devices used over a 28-day period. While most of these will be PCs, there are other things in the mix there: a few million Xbox Ones, a few million Windows 10 Mobile phones, and special hardware like the HoloLens and Surface Hub. The exact mix between these categories isn't known, because Microsoft doesn't say. The company's original ambition (and sales pitch to developers) was to have one billion systems running Windows 10 within about three years of the operating system's launch. In July last year, the company acknowledged that it won't hit that target—the original plan called for  50 million or more phone sales a year , which the retreat from the phone market has made impossible. But at the current rate it should still be on track for somewhere in excess of 700 million use...

WZoneLite – A Pretty Cool WooCommerce Amazon Affiliate Plugin .

Everyone wants to make a million dollars by being a blogger. The promise of riches and internet fame is a big draw to doing it for a lot of people, and I’m sorry to say that the reality of being a blogger (even a professional blogger!) is not quite…as financially lucrative as all that. But that’s not to say that it  can’t be –one of the best ways to start your empire is with an Amazon affiliate plugin. For me, the Amazon Associates program has been one of the biggest earners for me over the years. Not only are there CPM ads like Google Adsense (you know, the normal banner ads we all love to hate), but any time someone clicks a link from your site, you get a percentage of  anything  they buy while the token from your site lasts in their browser. If they buy a song, you get a few cents. If they buy a new MacBook Pro and iPhone? You get…a lot more cents. With that in mind, WZoneLite is a  pretty cool WooCommerce Amazon affiliate plugin that syncs everything together s...

Game-changing SEO trends that will dominate 2018.

Changing nature of the rules of the game. As search engines strive to improve the quality of search results, some ranking factors shift shapes, others fall into oblivion, and completely new ones arise out of nowhere. To help you stay ahead of the game in 2018, here’s a list of the most prominent trends that are gaining momentum, with tips on how you can prepare for each. 1. The rise of SERP features Are you assuming a #1 organic ranking is  the  way to get as much traffic as possible? Think again. Increasingly, SERP features (local packs, Knowledge panels, featured snippets and so on) are stealing searchers’ attention and clicks from organic listings. And it’s only fair if you consider the evolution the Google SERP has been through. It has gone all the way from “10 blue links”… … to something that makes you feel like you’re part of a Brazilian carnival. What can you do about it? With the evolution of SERP features, it’s critical that you (a) track your rankings within...