Hackers New method of hacking WordPress!
Hackers these days are using new way to hack word press sites to gain control of the admin panel and your database. For beginners it is really hard to identify the threat.
We are now sharing the knowledge with you so you can protect your sites. This attack was used almost on all word press sites of my customers. Remember I am using plugin All in One Seo Pack to keep basic SEO settings for my customers simple. The hacker used name of the plugin to fool me.
The attack starts with a fake email from WordPress organisation. It have attached the screenshot below. I also have highlighted fake parts by which you can identify it is from a fake sender not WordOress.
When i downloaded it and scanned it then it was an obfuscated php. Nod Antivirus detect such scripts for you. Obfuscated php is hidden code of php. You can not see it or it looks different then php.
After this i even tried to open the obfuscated file but codes were well hidden so i tried the plugin to see what it will try to do but i tried it offline on Wampserver. Never ever attempt such things online.
I Aadded it to plugins then it gave me almost exact look of original plugin. It was also showing a fake update link within the plugins page. I will assume that they used original plugin and injected their code.
When i activated it this plugin tried to add some code lines in different parts of my wordpress. As i was on offline server with some permissions and extensions activated in wamp to stop any changes made by it, so nothing happened. But this plugin did tried to inject plenty of codes on my WordPress.
Below is the image of how plugin looked there and fatal errors of the script which could have been successful attack on live server.
I shared this to alert you about this new attack and save your precious websites. Also share it with others so they can protect there sites. Never used nulled scripts as they can give hackers access to your sites.
If you have any questions feel free to ask me in the comments below.