Hackers Target WordPress PHP

Reading time icon 3 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Hackers are becoming more audacious with attacks being launched daily across the globe. In the case of WordPress, tens of thousands of organizations, including OnMSFT.com utilize the platform to provide daily updates to millions of users. With hackers constantly changing tactics, the platform is slowly becoming a new cybersecurity frontier that will in the future impact Microsoft and non-Microsoft users alike.

And now, according to the latest related news report, a new WordPress PHP exploit attempt has been reported by Nikita Popov, a contributor to the WP project. According to his statement, he found two malicious commits that had been pushed to the php-src git repository. The changes were designed to create backdoors on websites using the updated library.

The scheme would essentially give the perpetrators access to WordPress websites by leveraging remote code execution via PHP and a HTTP header. They would also be able to take over the server hosting the PHP site and modify files on the system.

PHP is a scripting language used to create dynamic and responsive websites. WordPress is coded using PHP, which is Open Source. Subsequently, WP files typically have a .php extension.

As It Happened

The malicious repository changes which happened on Saturday were made to look as if they were made by two renowned WP contributors Rasmus Lerdorf and Nikita Popov. This was in an attempt to make them look authentic. While it might appear that authors’ accounts were compromised, the ploy is believed to have worked by exploiting the git infrastructure and not by targeting specific accounts.

As such, the PHP Group has announced that it will be shifting from the git infrastructure to GitHub. This will provide greater security and allow all future changes to be tracked.

The devious attackers also tried to create confusion by attaching a comment on the changes implying that the exploits had been sold to Zerodium, a firm that specializes in the purchase of premium zero-day vulnerabilities. The comment read “REMOVETHIS: sold to zerodium, mid 2017”.

That said, Zerodium CEO, Chaouki Bekrar, has denied any dealings involving the WordPress PHP exploit. “Cheers to the troll who put “Zerodium” in today’s PHP git compromised commits. Obviously, we have nothing to do with this. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this cr**, so they burned it for fun,” he said via Twitter.

Had the changes made by the hackers gone unnoticed, thousands of websites would have been compromised, allowing hackers to carry out a range of attacks on different types of devices including those running Windows. Hackers usually undertake this via XSS, traffic redirection, autofilled data, and more.

To prevent related compromises, Microsoft user are advised to use a reliable firewall, and set Windows Defender updates to automatic.