Threat actors are always working on ways to unleash mayhem in the cyber world, and this time, Sucuri revealed in a report that threat actors have dug out an old WordPress plugin named Eval PHP, believed to have last been updated 11 years ago, which they use to compromise websites. Also known as backdoors, it could allow attackers to gain access and control of a website even after changing the site passwords.
Eval PHP was released by a developer named Flashpixx and could allow users to insert PHP code into pages and posts of WordPress sites that are then executed each time the posts are opened in a web browser. PHP programming language is the backbone of the modern web, and its versatile language form makes it easy to be manipulated by threat actors.
Remote code execution backdoors remain one of the means attackers deploy to infect a website, and external scans can't dictate it. It can be identified by server-side scans and file integrity monitoring. The attack chain entails installing the Eval PHP plugin on compromised sites and misusing it to establish persistent backdoors across multiple posts that are sometimes also saved as drafts. Sucuri confirmed to have seen a daily download spike of Eval PHP around March 29, 2023, with over 100,000 downloads as of the time of the report.
While observing the affected websites, Sucuri researcher Ben Martin said: ”This code is quite simple: it uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor. Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden. All the attacker needs to do is to visit one of the infected posts or pages, and the backdoor will be injected into the file structure”.
So far, the threat actors have established administrative rights on over 6000 sites, and Sucuri researchers advised site owners to secure the wp-admin panel of their WordPress environment, as well as monitor any administrator activity taking place on their sites. They advise site owners to carry out regular file cleanup and constant password change while ensuring they place their admin panel behind two-factor authentication.