Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites.

The payload is the following bogus plugin located here:

./wp-content/plugins/plugs/plugs.php

At first glance these appear to be very unorthodox domains:

hxxp://xn--o1aofd[.]xn--p1ai

hxxp://xn--80ady8a[.]xn--p1ai

hxxp://xn--80adzf[.]xn--p1ai

hxxp://xn--g1aey4a[.]xn--p1ai

hxxp://xn--g1asqf[.]xn--p1ai

hxxp://xn--i1abh6c[.]xn--p1ai

However, they are using what is known as “punycode”, where everything after the xn-- is unicode.

Continue reading Malicious Redirects Through Bogus Plugin at Sucuri Blog.

Via Sucuri.net