[wp-hackers] Viruses that look for open WordPress tabs in your browser?
david at wordshell.net
Fri Dec 11 00:03:46 UTC 2015
Has anyone come across the following before? Or is it potentially a new
thing? (I've not read any such thing before).
I'm examining a hacked WP site. The logs show that the site owner, the
sole admin, was logged in, and working on it in wp-admin in a normal
way, up until 02:52 on a certain day. Then absolutely nothing until
03:35. Then at 03:35, wham - a single GET followed by a load of POST
requests to the plugin editor, one for each plugin, inserting hacker
code. All from the admin's IP/browser (same user agent), and too close
together to be human (i.e. obviously scripted). It's all the same IP and
browser session, which is confirmed as the site owner's ISP.
My inference from that is that the site owner, at 02:52, went to do
other things, leaving the browser tab open. They got infected with a
virus (or perhaps already were), and that virus hunted for open browser
sessions logged-in to wp-admin, and used those sessions to infect the WP
That's all technically do-able. But I've not previously heard of a virus
(the customer has a Mac, and was using Safari), that does this. Is this
a new thing?
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net
More information about the wp-hackers