To find the source of this threat, we must return until last April, when members of the security company Sucuri discovered more than 5,500 websites that used this CMS infected with malware that was capable of carrying out the mining of cryptocurrencies, something that is increasingly has become fashionable. Since then, there have been many changes that the threat has suffered, especially at the level of behaviour. Initially, it used the WordPress functions.php file to make requests against a false Cloudflare address to establish a WebSocket with the help of a library. When the security experts first analyzed the threat, the message that appeared when trying to access the false Cloudflare domain was “This Server is part of Cloudflare Distribution Network”. However, this message has changed, and now you can read “This server is part of an experimental science machine learning algorithms project”.
Behavior of this keylogger that affects WordPress websites
Since April, things have changed. The mining of cryptocurrencies has disappeared (or at least for the time being). The operation of this malware has mutated into a form of keylogger. All spaces to enter text on the web have been modified. They have added a handler that sends the information entered to the address wss://cloudflare[.]solutions:8085/. This keylogger is able to steal credentials to access the user profiles of the web services like WordPress itself and not only that even the management of the CMS is also compromised. Given that many services are connected, it is very likely that at some point the user entered account credentials on platforms like Twitter or Facebook. In this case, the need to change the password is urgent. Otherwise, the accounts could be used without the user’s consent. Security experts have also found that being introduced CoinHive script to carry out the mining of coins. However, it seems that at the moment it is not being used.
I have a website that uses WordPress and is affected: What can I do?
Obviously, there is a solution, although it is not trivial. Users who have an affected website should search the functions.php file for the add_js_scripts function and carry out its deletion. Subsequently, they should search for all the sentences in which the deleted function is mentioned and proceed to its deletion. Otherwise, the loading of the CMS elements will not be done correctly. Once this process is finished, it is advisable to change all the access credentials. So, what do you think about this security flaw? Simply share all your views and thoughts in the comment section below.