Stealthy WordPress Backdoor Found in mu-plugins Folder
A new stealthy backdoor has been discovered hiding in the WordPress mu-plugins folder, posing a significant threat to website security. This malicious code, dubbed 'wp-index.php', allows attackers persistent access and control over compromised WordPress sites. The backdoor operates by using a malicious PHP file, 'wp-index.php', as a loader to fetch and execute an obfuscated payload. It hides in the 'mu-plugins' folder, which auto-runs special plugins that cannot be deactivated from the WordPress admin panel, making it difficult to detect and remove. Once activated, the malware can change the passwords of common admin usernames to a default password set by the attacker. It also includes a hidden file manager and creates an admin user named 'officialwp'. To ensure its persistence, the backdoor force-installs a malicious plugin to restore itself if removed. The payload is stored in the WordPress database under the '_hdra_core' option and then executed, leaving minimal traces. After execution, the backdoor deletes its traces, making it even harder to detect and remove. Compromised websites can then be used for broader attacks, making the threat persistent and stealthy. This highly dangerous malware allows attackers to control the site, steal data, and install more malware. WordPress site owners and administrators are urged to be vigilant and take necessary precautions to protect their sites. Regular updates, strong passwords, and security plugins are recommended to mitigate this threat. The identity of the person who discovered this stealth backdoor remains unknown at this time.
