Malicious Redirects Through Bogus Plugin
Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites.
The payload is the following bogus plugin located here:
./wp-content/plugins/plugs/plugs.php
At first glance these appear to be very unorthodox domains:
hxxp://xn--o1aofd[.]xn--p1ai
hxxp://xn--80ady8a[.]xn--p1ai
hxxp://xn--80adzf[.]xn--p1ai
hxxp://xn--g1aey4a[.]xn--p1ai
hxxp://xn--g1asqf[.]xn--p1ai
hxxp://xn--i1abh6c[.]xn--p1ai
However, they are using what is known as “punycode”, where everything after the xn-- is unicode.
Continue reading Malicious Redirects Through Bogus Plugin at Sucuri Blog.