I don't think linux has anything to do with it. It injects JS code into an existing wordpress site to redirect visitors to spam/scam etc. Any plugin that is allowed to write to disk and has a vulnerability is a problem.<p>"Linux.Backdoor.WordPressExploit.1 is a trojan application for 32-bit and 64-bit Linux operating systems that targets x86-compatible devices. The backdoor is written in the Go (Golang) programming language and executes attackers’ commands. Its main functionality is to attack websites based on the WordPress CMS by exploiting vulnerabilities in outdated versions of plugins and themes for this platform. If an attack is successful, the webpages of such sites are injected with a malicious JavaScript that redirects website visitors to other sites."<p><a href="https://vms.drweb.com/virus/?i=25604695" rel="nofollow">https://vms.drweb.com/virus/?i=25604695</a><p>"Linux.Backdoor.WordPressExploit.2 is a trojan application for 32-bit and 64-bit Linux operating systems that targets x86-compatible devices. The backdoor is written in the Go (Golang) programming language and executes attackers’ commands. Its main functionality is to attack websites based on the WordPress CMS by exploiting vulnerabilities in outdated versions of plugins and themes for this platform. If an attack is successful, the webpages of such sites are injected with a malicious JavaScript that redirects website visitors to other sites. This backdoor is a modification of the Linux.Backdoor.WordPressExploit.1 malicious application. It differs from it in the address of the C&C server, the address of the domain from which the malicious script is downloaded, and its additional list of vulnerabilities to exploit."<p><a href="https://vms.drweb.com/virus/?i=25604745" rel="nofollow">https://vms.drweb.com/virus/?i=25604745</a>
This article is written so badly.. I suspect it could be a ChatGPT or some variant..<p>> which targets 32-bit versions of Linux and also can run on 64-bit versions of the platform.<p>I don't fully understand what they mean by this..<p>> Vulnerabilities are not uncommon.<p>Pointing out the obvious here. But in general Wordpress has a high surface area of attack sure, but it allows bad 'developers' to publish websites which are connected to sensitive services all without needing even the first comprehension of security. This is its worst feature.
There is a nice writeup about the exploit which includes more information about the indicators of compromise (IOCs) on the (drweb) site:<p><a href="https://vms.drweb.com/virus/?i=25604695" rel="nofollow">https://vms.drweb.com/virus/?i=25604695</a><p>For example, the binary file has a SHA1 of 215a4470063080696630fb6015378938e8c16a15. It reaches out to a C2 server with the IP address 109[.]234.38[.]69. It injects a script called "lone.js" which contacts another server. Etc.<p>Someone has also submitted it to Virustotal very recently, and there is additional information available to explore. <a href="https://www.virustotal.com/gui/file/7ab779b39a7ff2a8e4e4957e91be885e3b193959ff19f7d57f7befd8e6ce39b4" rel="nofollow">https://www.virustotal.com/gui/file/7ab779b39a7ff2a8e4e4957e...</a><p>Yara is among the tools which can be used to search a system for these IOCs provided a set of rules written in the appropriate syntax.
Wordpress is great for rapid prototyping but as history has shown, relying on third parties for additional functionalities in production environments, comes with great risks.<p>Most usage of Wordpress today are definably not blogs, but full blown websites with many functionalities not found on a blogging software.
I'm not understanding how this is a trojan. Is it a plug-in which the admin has to install? Is it some other unrelated application which the admin has to download from the web and run which infects WordPress sites? How do the 30 vulnerabilities fit into this?<p>And what part of it is a backdoor? It looks like the C&C server can only tell the software what page to redirect to? That's not the sort of access I generally associate with a "backdoor"...
After my experience running a WordPress blog back in the mid-late 2000s, I swore off of it. Even with the meager traffic I got I saw a constant barrage of linkfarm exploits and the like that occurred with even the most brief lapses in keeping WP up to date.<p>Haven't had a blog in about a decade, but when I spin one back up it'll be with a static generator like Zola[0] running on a provider like Netlify[1]. Comments are nice to have but not worth the hassle that comes with a dynamic app or the moderation overhead required to keep comment spam at bay.<p>[0]: <a href="https://www.getzola.org/" rel="nofollow">https://www.getzola.org/</a>
[1]: <a href="https://www.netlify.com/" rel="nofollow">https://www.netlify.com/</a>
In the "network indicators of an attack" [1] what's the significance of some periods being in square brackets and others not?<p>1. <a href="https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.Backdoor.WordPressExploit.1#network-indicators">https://github.com/DoctorWebLtd/malware-iocs/tree/master/Lin...</a>
Is there any good literature discussing the rise of server malware? It seems to me it's much more common now and PC malware (regardless of OS) is more rare.