"WordPress Researcher", malware? How to get rid of it?

  • Anthyx

    (@anthyx)


    10 years ago

    Hi,

    today when I’ve upgraded my plugins I’ve noticed a starnge one, one I’ve never installed: it’s name is “WordPress Researcher”.

    I’ve tried looking for it using google but I got no valid informations: it seems it’s a kind of malware installing a sort of “backdoor” access used by hackers.

    Have you any more information about it? If so, can you help me to completely remove it? does it suffice to remove the plugin (I’ve deactivated it at the moment)?

    Many many thanks in advance, please help!

    Antonio

Viewing 9 replies - 1 through 9 (of 9 total)
  • wslade

    (@wslade)

    I’m sorry to hear someone has damaged your site. Your site is hacked. Working your way through these resources should fix your problems:

    Additional Resources:

    Let us know if you have questions.

    This plugin just appeared on one of my sites as well. Wordfence alerted me that a user with administrative rights had logged in with the name admin (there was no such user before, and WordFence is supposed to block any attempt to create that user). IP address is St. Petersburg, Russia.

    There seems to be nothing wrong except the appearance of the WordPress Researcher plugin (supposedly created by wordpressdotorg), which I have immediately deleted.

    I am the sole admin of this site – how can another admin user be created?

    Thread Starter Anthyx

    (@anthyx)

    Hi,

    it’s a kind of trojan as I see. Don’t worry, it’s not too bad. I have solved using another plugin, a quite famous one too: it’s called “Wordfence” (there are at least 2/3 other good ones). It should clean and protect your site from future attacks.

    Hope it help.

    Ciao

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Installing plugins won’t clean your site from backdoors that the hackers left in. Wslade posted a lot of helpful resources.

    Clearing it up is OK, and according to Wordfence there are no further infections, but Wordfence was already installed before the infection and the hackers still managed to create the “admin” user. How can they do that? Maybe a cross-infection from another site on the same server?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    The problem with compromised sites is that they install backdoors all over the place. Until you’ve deloused your files, directories and DB then you’ll still be at the mercy of the attacker.

    This really is a good reply above and will get you started delousing your site.

    If it’s your server that’s been compromised then you may need to consider moving to a new host.

    Thread Starter Anthyx

    (@anthyx)

    You say I may be still infected? Even if wordfence (one of the best plugins in its field) says it’s clean and protecting my site? To tell you the truth, since then nothing strange happened.
    Which do you think is the most reliable tool to check for backdoors etc.?

    I had some how three instances of this plugin installed without my knowledge. Users ‘admin’ and ‘administrator’ were created.

    Sneaky bastards. I deleted plugins, deleted users, scanned with Anti-Malware and Brute-Force Security by ELI and everything seems to be in order.

    For me this is still mystery: how they manage to create physical files on the server (I know you can do it with simple php instructions, but how they execute it)?

    One way to execute php files is they using curl, if injected any code, and they injected in your plugin files i think .

    example.

    curl https://www.example.org/cron.php?id=01001&hash=cm349ucKuc023b2ynGyv23ycr23

and in php file

if(isset($_GET['hash']) && $_GET['hash']=='cm349ucKuc023b2ynGyv23ycr23'){
....
stuff to do
....
}

    *you can even add specific time/date check when it should be run.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘"WordPress Researcher", malware? How to get rid of it?’ is closed to new replies.