[wp-hackers] Viruses that look for open WordPress tabs in your browser?

Scott Herbert scott.a.herbert at googlemail.com
Fri Dec 11 13:45:05 UTC 2015


I think Zeus (who's source code was leaked online) did a similuar
thing with banking sites but that was on a PC. OSX (iirc) makes it
much harder to snag the browsers memory space, nothing is impossabul.

On 11 December 2015 at 13:08, J.D. Grimes <jdg at codesymphony.co> wrote:
> I'm not an expert, but I've never heard of anything like that before. Isn't it possible that the connection was compromised and an attacker was listening in on the user, then stole their session and spoofed the user agent?
>
> -J.D.
>
>> On Dec 10, 2015, at 7:03 PM, David Anderson <david at wordshell.net> wrote:
>>
>> Has anyone come across the following before? Or is it potentially a new thing? (I've not read any such thing before).
>>
>> I'm examining a hacked WP site. The logs show that the site owner, the sole admin, was logged in, and working on it in wp-admin in a normal way, up until 02:52 on a certain day. Then absolutely nothing until 03:35. Then at 03:35, wham - a single GET followed by a load of POST requests to the plugin editor, one for each plugin, inserting hacker code. All from the admin's IP/browser (same user agent), and too close together to be human (i.e. obviously scripted). It's all the same IP and browser session, which is confirmed as the site owner's ISP.
>>
>> My inference from that is that the site owner, at 02:52, went to do other things, leaving the browser tab open. They got infected with a virus (or perhaps already were), and that virus hunted for open browser sessions logged-in to wp-admin, and used those sessions to infect the WP site.
>>
>> That's all technically do-able. But I've not previously heard of a virus (the customer has a Mac, and was using Safari), that does this. Is this a new thing?
>>
>> David
>>
>> --
>> UpdraftPlus - best WordPress backups - http://updraftplus.com
>> WordShell - WordPress fast from the CLI - http://wordshell.net
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



-- 
--
Scott Herbert
Web:  http://www.Scott-Herbert.com/
Twitter: http://twitter.com/Scott_Herbert
Linkedin: http://www.linkedin.com/in/scottaherbert


More information about the wp-hackers mailing list