Shulou(Shulou.com)06/02 Report--

What is the role of Keylogger events in Wordpress? I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problems. Through this article, I hope you can solve this problem.

0x01 event description

The cause is that WordPress was injected with a confusing js script. Populate from the theme's function.php file. The address of the loaded js script is:

Where reconnecting-websocket.js is used as websocket communication, and cors.js contains a back door. Cors.js changes the front page, releases the javascript script for input listening, and then sends the data to the toolmaker (wss://cloudflare [.] solutions:8085/).

Analysis of 0x02 attack script

There are two JS at the bottom of the home page of the user WordPress. The first one is used for websocket communication. Backdoor core file http://cloudflare[.]solutions/ajax/libs/cors/cors.js. Cors.js is confused, and the attack script is obtained after simple processing:

The attack script first calls linter (), which decodes the linterkey1,linterkey2.

Https://cdnjs.cloudflare.com/ajax/libs/linter/linter.js?657[.............................] The domain name cdnjs.cloudflare.com does not exist, according to the code logic, the useful part should be? The following is the content:

Decrypt:

The logic is easy to understand, listening for blur events (the input box loses focus) and sending user input content through websocket.

Finally, addyandexmetrix () is executed after the window is loaded. This function is a js similar to cnzz, which is used for access statistics.

Https://yandex.com/support/metrica/code/counter-initialize.xml

0x03 attack impact View cloudflare [.] solutionsDNS request record:

As you can see, there was a peak in June. And recently, the trend of attack has risen sharply. The following is the record of today's request as of writing:

As you can see, today, the attack has intensified.

Search the page and find that nearly 5,000 sites around the world have been infected:

Some of the following infected domain names:

0x04 mitigation measures

Check if there is a JS request to cloudflare [.] solutions in the source code of the page, and do self-test in this way.

The malicious JS is populated through the function.php file of the WordPress theme. Please immediately delete the part of the file where the page renders malicious JS. At this time, the password may have been stolen, please change the password in time.

After reading the above, have you mastered the role of Keylogger events in Wordpress? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.