14 Aug, 2017

Vulnerable WordPress Newspaper Theme

Learn how to detect and remove a JavaScript infection that targets WordPress Newspaper theme and redirects visitors to malicious sites.
In the last few days, we received lots of JavaScript infection related to page redirection. One of the most common techniques is an inserted JavaScript that targets WordPress CMS.

The attacker inserts the link, hxxs://traffictrade[.]life/scripts.js on each page. This link then redirects the visitors to your site to the https://redirect[.]trafficreceiver.club/landing/ where they will see the malicious pop-ups.

The interesting part is, there were no infected files on customer's site. The only sign is the code injected into the 'wp_options' table inside the database.
The Malware in The WordPress Theme
The code can be found inside NewsMag or Newspaper theme under the Theme panel>ADs>Header ad. It can also be seen inside the 'wp_options' table of your database.
Vulnerable code:

Going deeper, we found out that the file from the Themes directory, 'td_panel_data_source.php' is vulnerable. Here is what is in the end of the file:
According to WordPress manual, using 'wp_ajax_nopriv_(action) ' handles users that are not logged in. Meaning, attackers are free on modifying the victims' database code without even being logged in.

Here are the options that can be modified:
  • 'td_category'
  • 'td_option'
  • 'wp_option'
  • 'td_homepage'
  • 'td_page_option'
  • 'td_widget'
  • 'td_author'
  • 'wp_theme_mod'
  • 'wp_theme_menu_spot'
  • 'td_translate'
  • 'td_ads'
  • 'td_social_networks'
  • 'td_fonts_user_insert'
  • 'td_fonts'
  • 'td_block_styles'

For this infection, the attacker adds the code in 'td_ads' which is equivalent to Header Ad of the theme.

Unfortunately, it can't be detected inside access logs because attacker uses POST request to /wp-admin/admin-ajax.php which can normally be seen inside the logs.
NewsMag Theme Malware Removal
The following are the steps to remove the NewsMag theme infection from your WordPress website:

- Delete the scripts inside the Header ad field.
- Open for database table wp_options and search for the malicious script.

If you are having troubles with the clean up of your site, just subscribe to one of the ThreatSign plans and our experts will be happy to do the job for you.
Website Security Hardening
Once we've found the vulnerable code, we just need to add a condition 'is_admin()' on both highlighted lines. Since the Ajax requests use admin-ajax.php the said function will always return true.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk