❌

Reading view

WordPress PBN Plugin Drops Dual Webshells via Database Injection

WordPress PBN Plugin Drops Dual Webshells via Database Injection

During a recent incident response engagement, our team uncovered a multi-stage WordPress infection that goes beyond the usual file-based malware. The attacker combined a fake plugin, a remote command-and-control server, and two PHP web shells stored directly inside the WordPress database.

The campaign is operated by a Turkish-speaking threat actor and is built around a classic SEO monetization scheme: hidden backlink injection for a Private Blog Network (PBN), most likely tied to the gambling and adult affiliate niche.

Continue reading WordPress PBN Plugin Drops Dual Webshells via Database Injection at Sucuri Blog.

  •  

My Website Is Hosting a Phishing Page – Now What?

My Website Is Hosting a Phishing Page – Now What?

Most phishing advice is written for the person staring at a suspicious email. This guide is for the other kind of victim: The website owner whose legitimate site has been quietly turned into the attacker’s weapon.

You didn’t send the message or build the fake login page. You just woke up to a browser warning, a suspended hosting account, or a polite note from someone’s security team asking why your domain is requesting Apple ID credentials.

Continue reading My Website Is Hosting a Phishing Page – Now What? at Sucuri Blog.

  •  

Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors

Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors

Overview

During a recent malware cleanup investigation, we encountered a compromised Joomla website where the site owner reported a strange issue. Their website displayed a large number of suspicious product links that had nothing to do with their business. These products were not added by the website owner and did not exist in their catalog.

Visitors and search engines were seeing pages that promoted unrelated products, raising immediate concerns about spam injection or remote content manipulation.

Continue reading Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors at Sucuri Blog.

  •  

Web Shells: Types, Mitigation & Removal

Web Shells: Types, Mitigation & Removal

Web shells are malicious scripts that give attackers persistent access to compromised web servers, enabling them to execute commands and control the server remotely. These scripts exploit vulnerabilities like SQL injection, remote file inclusion (RFI), and cross-site scripting (XSS) to gain entry.

Once deployed, web shells allow attackers to manipulate the server, leading to data theft, website defacement, or serving as a launchpad for further attacks. They are especially dangerous because they are also a post-compromise access mechanism (backdoor) rather than a standalone infection.

Continue reading Web Shells: Types, Mitigation & Removal at Sucuri Blog.

  •  

Shadow Directories: A Unique Method to Hijack WordPress Permalinks

Shadow Directories: A Unique Method to Hijack WordPress Permalinks

Last month, while working on a WordPress cleanup case, a customer reached out with a strange complaint: their website looked completely normal to them and their visitors, but Google search results were showing something very different.

Instead of normal titles and descriptions, Google was displaying casino and gambling-related content. We have been seeing rising cases of spam on WordPress websites. What made this even more confusing was where the spam was appearing.

Continue reading Shadow Directories: A Unique Method to Hijack WordPress Permalinks at Sucuri Blog.

  •  

Malware Intercepts Googlebot via IP-Verified Conditional Logic

Malware Intercepts Googlebot via IP-Verified Conditional Logic

Some attackers are increasingly moving away from simple redirects in favor of more β€œselective” methods of payload delivery. This approach filters out regular human visitors, allowing attackers to serve malicious content to search engine crawlers while remaining invisible to the website owner.

What did we find?

During a malware investigation, we identified a selective content injection attack inside the main index.php file of a WordPress website.

Instead of always loading WordPress normally, this modified file checks who is visiting the site.

Continue reading Malware Intercepts Googlebot via IP-Verified Conditional Logic at Sucuri Blog.

  •  

WordPress Auto-Login Backdoor Disguised as JavaScript Data File

WordPress Auto-Login Backdoor Disguised as JavaScript Data File

During a recent investigation, we discovered a sophisticated WordPress backdoor hidden in what appears to be a JavaScript data file. This malware automatically logs attackers into administrator accounts without requiring any credentials.

In September, we published an article showcasing another WordPress backdoor that creates admin accounts. This new variant takes a different approach by hijacking existing administrator sessions instead of creating new accounts, making it harder to detect through user audits.

What turned up during our review

The file was disguised as a JavaScript asset in a PHP file located in the WordPress admin wp-admin/js directory, but it was really all PHP.

Continue reading WordPress Auto-Login Backdoor Disguised as JavaScript Data File at Sucuri Blog.

  •  
❌