[wp-hackers] Viruses that look for open WordPress tabs in your browser?

David Anderson david at wordshell.net
Fri Dec 11 00:03:46 UTC 2015

Has anyone come across the following before? Or is it potentially a new 
thing? (I've not read any such thing before).

I'm examining a hacked WP site. The logs show that the site owner, the 
sole admin, was logged in, and working on it in wp-admin in a normal 
way, up until 02:52 on a certain day. Then absolutely nothing until 
03:35. Then at 03:35, wham - a single GET followed by a load of POST 
requests to the plugin editor, one for each plugin, inserting hacker 
code. All from the admin's IP/browser (same user agent), and too close 
together to be human (i.e. obviously scripted). It's all the same IP and 
browser session, which is confirmed as the site owner's ISP.

My inference from that is that the site owner, at 02:52, went to do 
other things, leaving the browser tab open. They got infected with a 
virus (or perhaps already were), and that virus hunted for open browser 
sessions logged-in to wp-admin, and used those sessions to infect the WP 

That's all technically do-able. But I've not previously heard of a virus 
(the customer has a Mac, and was using Safari), that does this. Is this 
a new thing?


UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net

More information about the wp-hackers mailing list