The advice that we should be wary of old or abandoned software is not far-fetched. Recent evidence of this comes from the Eval PHP. This is the name of a plugin for wordpress which hasn’t been updated since 2012 and is now being used to compromise websites.
Eval PHP allows a WordPress site administrator to add PHP code directly to pages or posts. The feature can be used to test functions or offer functionality to website visitors.
Because it is an old plugin and used for a very specific purpose, Eval PHP is little used today. But the digital security company anaconda noticed that, in recent weeks, several sites were being infected with a backdoor whose code is related to the plugin.
Sucuri found that at the end of March, Eval PHP reached a daily peak of 7,000 downloads. Prior to this, the plugin rarely recorded a single download per day. The company estimates that since then more than 100,000 downloads have been made.
Eval PHP didn’t become popular overnight. The number of downloads has skyrocketed simply because it comes unused by attackers, not site administrators.
It all starts when the attacker inserts malicious code into the “wp_posts” table in the WordPress database. For this, it uses a compromised administrator account, which is also used for the plugin to be installed.
Through the plugin, the code is injected into WordPress pages or posts. It is then enough for the attacker to access these links for the code to be executed. When this occurs, the backdoor is inserted into the root of the website.
Various malicious actions can be performed from there, such as spreading malware, capturing data and attacking other websites.
To prevent compromised pages and posts from being discovered, attackers save them as drafts. Thus, the links do not appear on the site’s public content list.
What makes this whole scheme different from other types of intrusions is that, as the malicious code is executed thanks to Eval PHP, it is more difficult for security mechanisms to track it.
To make matters worse, if the backdoor is removed, it can be inserted into the site again after simply accessing one of the compromised pages or posts.
Avoiding the use of outdated software (here, plugins) is one of the ways to prevent intrusions. If Eval PHP was maintained, its maintainers would certainly find ways to prevent the plugin from being used to execute malicious code.
As in the case in question the plugin is installed by the attacker, not by the user, it would be up to the maintainers of the WordPress repositories to adopt preventive measures. On the other hand, it is difficult for them to monitor such a huge universe of plugins.
This is why supplementary measures must be taken by website administrators. Sucuri recommends:
- keep the website resources up to date;
- protect the WordPress admin panel with two-factor authentication to prevent unauthorized access;
- have a regular backup service;
- use firewalls to block bots and mitigate known vulnerabilities.