Attackers are utilizing Eval PHP, an outdated reputable WordPress plugin, to compromise web sites by injecting stealthy backdoors.

Eval PHP is an outdated WordPress plugin that permits website admins to embed PHP code on pages and posts of WordPress websites after which execute the code when the web page is opened within the browser.

The plugin has not been up to date previously decade and is mostly thought-about abandonware, but it’s nonetheless obtainable via the WordPress plugins repository.

In response to web site safety agency Sucuri, the pattern of utilizing Eval PHP to embed malicious code on seemingly innocuous WordPress pages surged in April 2023, with the WordPress plugin now having a median of 4,000 malicious installations per day.

The principle benefit of this methodology versus typical backdoor injections is that Eval PHP could also be reused to reinfect cleaned websites whereas holding the purpose of compromise comparatively hidden.

​Stealthy database injections

PHP code injections detected over the past couple of weeks ship a beforehand documented payload that provides the attackers distant code execution capabilities over the compromised website.

The malicious code is injected into the focused web sites’ databases, particularly into the ‘wp_posts’ desk. This makes it tougher to detect because it evades commonplace web site safety measures like file integrity monitoring, server-side scans, and many others.

To try this, the risk actors use a compromised or newly created administrator account to put in Eval PHP, permitting them to insert PHP code into pages and posts of the breached website utilizing [evalphp] shortcodes.

​As soon as the code runs, it drops the backdoor (3e9c0ca6bbe9.php) within the website root. The identify of the backdoor might differ between totally different assaults.

The malicious Eval PHP plugin installations are triggered from the next IP addresses:

• 91.193.43.151
• 79.137.206.177
• 212.113.119.6

The backdoor doesn’t use POST requests for C2 communication to evade detection however, as an alternative, it passes information via cookies and GET requests with out seen parameters.

Furthermore, the malicious [evalphp] shortcodes are planted in saved drafts hidden within the SQL dump of the “wp_posts” desk and never on printed posts. That is nonetheless sufficient to execute the code that injects the backdoor into the web site’s database.

Sucuri highlights the necessity to delist outdated and unmaintained plugins that risk actors can simply abuse for malicious functions and factors out that Eval PHP is not the one dangerous case.

Till these answerable for managing the WordPress plugin repository resolve to take motion, web site homeowners are really helpful to take motion to safe their admin panels, maintain their WordPress set up updated, and use an online utility firewall.