.png)
1 month ago
2
A stealthy WordPress backdoor uses two files disguised as legitimate utilities to maintain a malicious administrator account, Sucuri reported Tuesday.
The files, DebugMaster.php, found in the plugins folder, and wp-user.php, found in the root directory, were discovered by Sucuri researchers during a cleanup of a compromised WordPress site.
The files serve to maintain persistence even when other malicious files or accounts are removed by blending in with other plugins and utilities, and ensuring the survival of a particular admin account named “help.”
The “DebugMaster Pro” malicious plugin is responsible for initially creating the “help” account, generating credentials for the account and sending these details along with the server’s IP address to an attacker-controlled server.
The DebugMaster file also injects malicious code into the WordPress site that is displayed to visitors except for admin users or users whose IP addresses are explicitly blocked by the malware. Additionally, it collects and logs the IP addresses of other administrators, Sucuri noted.
DebugMaster does not appear in normal plugin listings and the “help” admin account is also filtered from user queries to evade detection. If the admin account is removed, wp-user.php acts as a backup that will continually recreate the account with the attacker’s credentials.
Both the DebugMaster plugin directory and wp-user.php file, along with the “help” account, would need to be removed to fully rid a site of infection.
Additionally, WordPress site owners who suspect a compromise should reset all credentials, audit user accounts, update all WordPress components, plugins and themes, and monitor server logs for suspicious activity, such as connections to unknown external domains.
