While cleaning-up an infected server today, I came across this plugin: Breadcrumb shortcode (slug: breadcrumbs-ez).
I compared its code to the one from the official plugin and I was shocked to see that they were strictly identical: in other words, hackers were able to upload the malicious plugin to the official WordPress Plugin repository.
http://bootstrap.myftp.org/moment.min.js script downloads a bunch of JS code which, via AJAX, uses the WordPress built-in Theme Editor to edit and inject PHP code into the
functions.php from the TwentyFifteen theme.
It downloads some more code from
http://beachvoetvolley.nl, then makes quite a lot of changes to your WordPress installation but the most interesting part is that it attempts to detect if some security plugins are installed and, if any, will inform the hackers about that (it will return a
pocket:1 HTTP header if a security plugin is detected):
More code is available from our Malware Threats Report #2016020911
If you are using our NinjaFirewall (WP Edition) plugin, you can disable the Theme and Plugin editor from the "NinjaFirewall > Firewall Policies > Disable the plugin and theme editor" menu.
Update Feb. 9, 2016: Another similar malicious plugin, Analytics (slug: enable-google-analytics), was discovered in the WordPress repo with the same JS code and uploaded by the same person. It has 2,000+ active installs.
- Fake WordPress plugin repository distributing malware.
- Fake wordpress-update.com site used to distribute malware via malicious plugins.