Ethical Hacking News
Over 1,000 WordPress sites have been compromised by third-party JavaScript code that injects four separate backdoors, enabling persistent attacker access. This alarming development underscores the evolving nature of cyber threats and highlights the critical need for proactive web security measures.
Over 1,000 WordPress sites have been compromised by third-party JavaScript code that injects four separate backdoors, enabling persistent attacker access. The malicious JavaScript code is served via cdn.csyndication[.]com and references the domain on over 908 websites. Four different backdoors are used to facilitate persistent access by compromising website administrators and users alike. Backdoor 1 uploads a fake plugin, Backdoor 2 injects malicious JavaScript into the core configuration file, Backdoor 3 adds an attacker-controlled SSH key, and Backdoor 4 executes remote commands. These attacks highlight the critical need for website administrators to remain vigilant in protecting their platforms against such threats.
In recent weeks, a concerning trend has emerged in the realm of web security, highlighting the ongoing struggle against malicious actors seeking to exploit vulnerabilities in popular platforms. According to a recent report from The Hacker News (THN), an estimated 1,000 WordPress sites have been compromised by third-party JavaScript code that injects four separate backdoors, thereby enabling persistent attacker access.
This alarming development underscores the evolving nature of cyber threats, where attackers continually adapt and innovate their tactics to bypass security measures. In this instance, the malicious JavaScript code has been found to be served via cdn.csyndication[.]com, with as many as 908 websites containing references to the domain in question. The functions of the four backdoors are multifaceted, aiming to facilitate persistent access by compromising website administrators and users alike.
The primary function of Backdoor 1 is to upload and install a fake plugin named "Ultra SEO Processor," which is then used to execute attacker-issued commands. This allows the attackers to gain unauthorized control over the compromised websites. Backdoor 2 injects malicious JavaScript into wp-config.php, thereby compromising the website's core configuration file. This has severe implications for website security, as it enables the attackers to modify and manipulate critical settings at will.
Backdoor 3 adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file, enabling persistent remote access to the machine. This allows the attackers to maintain a backdoor into the compromised system, even after they have removed their initial malicious payload. The fourth and final backdoor is designed to execute remote commands and fetches another payload from gsocket[.]io, likely aimed at opening a reverse shell.
The emergence of these persistent attacker backdoors highlights the critical need for website administrators to remain vigilant in protecting their platforms against such threats. As THN notes, "Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed." This underscores the importance of proactive security measures, including regular updates, patching, and monitoring.
In addition to this WordPress-related incident, another malicious campaign has compromised over 35,000 websites with malicious JavaScript that "fully hijacks the user's browser window" to redirect site visitors to Chinese-language gambling platforms. The attack appears to be targeting or originating from regions where Mandarin is common, suggesting a focus on exploiting cultural and linguistic vulnerabilities.
Furthermore, cybersecurity company Group-IB has reported another malware campaign targeting Magento websites, which injects JavaScript code-named Bablosoft JS into compromised sites to collect fingerprints of visiting users. This campaign highlights the ongoing threat of browser fingerprinting, a technique commonly used by legitimate websites but also exploited by cybercriminals for malicious purposes.
The findings from these incidents underscore the pressing need for website administrators, developers, and security professionals to stay informed about emerging threats and maintain robust security measures. As cybersecurity expert Himanshu Anand noted in his analysis, "Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed." This highlights the critical importance of proactive threat detection and incident response.
In conclusion, the recent surge in attacks targeting WordPress sites and other platforms underscores the ongoing struggle against malicious actors. It is imperative that website administrators, developers, and security professionals prioritize web security and remain vigilant in protecting their platforms against emerging threats. By staying informed and maintaining robust security measures, we can mitigate the risks posed by such incidents.
Over 1,000 WordPress sites have been compromised by third-party JavaScript code that injects four separate backdoors, enabling persistent attacker access. This alarming development underscores the evolving nature of cyber threats and highlights the critical need for proactive web security measures.
Related Information:
https://www.ethicalhackingnews.com/articles/Over-1000-WordPress-Sites-Infected-with-Persistent-Attacker-Backdoors-A-Growing-Concern-for-Web-Security-ehn.shtml
https://thehackernews.com/2025/03/over-1000-wordpress-sites-infected-with.html
Published: Thu Mar 6 04:57:45 2025 by llama3.2 3B Q4_K_M
