> Beniamin Jablonski, 2025-01-25
# INTRODUCTION
Sometime around mid-2024, a friend of mine called me and told me that one of his old websites had started behaving strangely. His coworkers had reported that visiting the site would redirect them to other pages containing, let’s put it delicately, inappropriate content. Given my profession, I was immediately intrigued by the situation. Fortunately for me, my friend was already in the process of preparing a new website, and the old application was scheduled to be completely removed. He granted me access to the server and told me I could investigate as much as I wanted to see if I could figure out what was going on.
# INVESTIGATION
Using the administrator panel of the platform hosting the application server, I managed to enable `SSH` access as `root`. I connected and got to work.
The website was running on the WordPress engine. I located the application’s source files. After an initial reconnaissance, I decided to inspect the `wp-config.php` file to retrieve the credentials for the MySQL database. I logged into the database:
```bash
mysql -u <DB_USER> -p # or just "mysql" as root
```
I selected the database associated with the WordPress instance:
```sql
use <DATABASE>;
```
And I examined the standard users table:
```sql
SELECT * FROM wp_users;
```
![[Pasted image 20240611002736.png]]
Two users caught my attention:
```
wp-configuser
wpsupp-user
```
The usernames could suggest some kind of service users for WordPress, but WordPress does not include anything like that by default. Moreover, the creation dates for these users were very recent. I was also intrigued by the name `James Rollner`, which appeared alongside the user `wp-confguser`. All of this seemed suspicious, so I searched the internet for information.
Here’s how my process of searching publicly available sources for information unfolded. Below, I’ve included selected quotes from online sources:
- For email `
[email protected]` and `James Rollner` I found the following [post](https://goldpenguin.org/blog/urgent-security-update-released-for-oxyextras-wordpress-plugin/):
> [!quote]
> (...) However, reports from users in the Oxygen Facebook community indicate the exploit may allow hackers to create rogue admin accounts on WordPress sites running vulnerable versions of OxyExtras. One site owner reported finding an unauthorized admin account with the email address `
[email protected]` and username referencing "James Rollner" added to his site. It's unclear if this is directly related to the OxyExtras vulnerability.
- For email `
[email protected]` I found another [post](https://wordpress.org/support/topic/unknown-user-added-and-malware-issue/):
> [!quote]
> (...) I did some digging myself in the backend and realized there was an unknown user listed called “`wpsupp-user`” with an email address listed as “`
[email protected]`” and the website listed in their contact info was “wordpresss.com.” I screenshotted this and then deleted the user.
- Finally I found this post on [reddit](https://www.reddit.com/r/Wordpress/comments/1bdosp2/wordpressorg_websites_hacked_redirecting_to_adult/):
> [!quote]
> Two of my websites were hacked over the last few days. (...)
>
> **Problem:** the website redirects to 18+ websites, and triggers antivirus alerts when visited. It may not be obvious immediately if your website is cached, so you may have to check on a browser you don't usually use. Also, the redirection seems to happen only when the website is visited from a search engine, and not when it's directly accessed.
>
> **Cause:** the entry point of the hack seems to be older versions of LSCache (5.4) [https://twitter.com/georgetasioulis/status/1766440654794608883](https://twitter.com/georgetasioulis/status/1766440654794608883)
>
**Identified impacts:**
> - wp-blog-header.php core WordPress file modification. I discovered that while scanning the website with the plugin WordFence (free version)
> - one or two admin users created : wpsupp-user and admin (at) zzna (dot) ru
> - wp-cleansong plugin installed (in my case, not visible from the Wordpress plugins page, but it existed in the /plugins folder
>
The last post contained links to two additional sources: [Twitter](https://twitter.com/georgetasioulis/status/1766440654794608883) and [StackOverflow](https://stackoverflow.com/questions/78135586/remove-malware-wp-cleansong), which mentioned the vulnerable `litespeed-cache` plugin and the presence of the malicious `wp-cleansong` plugin.
Thus, two key indicators of compromise (IoC) can help identify whether this specific attack has impacted a WordPress site:
1. **Presence of the `wp-cleansong.php` file**: This file is not part of any standard WordPress installation and indicates unauthorized activity if present.
2. **Use of the `litespeed-cache` plugin in a vulnerable version (<= 5.7)**: Older versions of this plugin have been identified as a potential entry point for attackers.
I began searching the files related to the `wp-cleansong` name, and after a short while, I indeed found the following files.
![[Pasted image 20240611003454.png]]
Moreover, I confirmed the presence of `litespeed-cache` in an outdated, vulnerable version.
![[Pasted image 20240611003643.png]]
On [Twitter](https://twitter.com/georgetasioulis/status/1766440654794608883) post, there was also a link to [VirusTotal](https://www.virustotal.com/gui/file/15bab933ecd9f3771ba59b9666f43c75f1f0a1dcefbcba0b422a201a2a72db9a). Notably, the file `wp-cleansong.php` was first uploaded on 2024-03-01. A standard hash was also generated for the file, including `SHA-256`.
![[Pasted image 20250125224220.png]]
I also calculated the hash value for the `wp-cleansong.php` file that I discovered on the server.
![[Pasted image 20250125235353.png]]
> [!important]
> This provided final confirmation that I was indeed dealing with the same attack described in the earlier references I found.
# CVE-2023-40000
The vulnerability exploited by the attacker had already been identified and was assigned the identifier [CVE-2023-40000](https://nvd.nist.gov/vuln/detail/cve-2023-40000). It was described on the [Wordfence](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/litespeed-cache/litespeed-cache-57-reflected-cross-site-scripting-via-nameservers-and-msg) website as follows:
> [!quote]
> The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nameservers' and 'msg' parameters in all versions up to, and including, 5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A PoC demonstrating how this vulnerability can be exploited can be found [here](https://wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4/).
An analysis of the vulnerable code can be found [here](https://patchstack.com/articles/xss-vulnerability-in-litespeed-cache-plugin-affecting-4-million-sites/).
The entire attack can, therefore, be reconstructed as follows:
1. The attacker exploits the Stored XSS vulnerability to inject malicious JavaScript into the application.
2. When the administrator logs into the WordPress admin panel, the malicious script is executed.
3. The script creates a new administrator-level user and installs a malicious plugin.
4. Additionally, changes are made to the application files, redirecting website visitors to harmful content on other websites.
Of course, this attack was not performed manually; it was part of an automated attack leveraging the `CVE-2023-40000` vulnerability.
Fortunately, I was able to reassure my friend that no one was specifically targeting him or trying to harm him personally. He was simply an unlucky victim of a mass attack. Unfortunately for him, he also became my victim, as he had to listen to my lecture on how critical regular updates are for security. 🙂
# REMEDIATIONS
The primary remediation for this vulnerability is, of course, updating the `litespeed-cache` plugin to its latest version. If signs of compromise are detected, consider actions like those described in this [post](https://deployed.pl/blog/i-had-a-wordpress-incident).
> [!note]
> WordPress, as one of the most popular content management systems in the world, is often a prime target for large-scale attack campaigns. Its widespread use makes it an attractive platform for attackers looking to exploit vulnerabilities in outdated plugins, themes, or core files. **Regular updates are crucial.**
# REFERENCES
1. https://goldpenguin.org/blog/urgent-security-update-released-for-oxyextras-wordpress-plugin/
2. https://wordpress.org/support/topic/unknown-user-added-and-malware-issue/
3. https://www.reddit.com/r/Wordpress/comments/1bdosp2/wordpressorg_websites_hacked_redirecting_to_adult/
4. https://www.virustotal.com/gui/file/15bab933ecd9f3771ba59b9666f43c75f1f0a1dcefbcba0b422a201a2a72db9a
5. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/litespeed-cache/litespeed-cache-57-reflected-cross-site-scripting-via-nameservers-and-msg
6. https://wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4/
7. https://www.reddit.com/r/Wordpress/comments/1bzmj9m/please_update_your_litespeed_cache_plugin_if_you/
8. https://patchstack.com/articles/xss-vulnerability-in-litespeed-cache-plugin-affecting-4-million-sites/
9. https://deployed.pl/blog/i-had-a-wordpress-incident