[wp-hackers] Viruses that look for open WordPress tabs in your browser?

J.D. Grimes jdg at codesymphony.co
Fri Dec 11 13:08:58 UTC 2015


I'm not an expert, but I've never heard of anything like that before. Isn't it possible that the connection was compromised and an attacker was listening in on the user, then stole their session and spoofed the user agent?

-J.D.

> On Dec 10, 2015, at 7:03 PM, David Anderson <david at wordshell.net> wrote:
> 
> Has anyone come across the following before? Or is it potentially a new thing? (I've not read any such thing before).
> 
> I'm examining a hacked WP site. The logs show that the site owner, the sole admin, was logged in, and working on it in wp-admin in a normal way, up until 02:52 on a certain day. Then absolutely nothing until 03:35. Then at 03:35, wham - a single GET followed by a load of POST requests to the plugin editor, one for each plugin, inserting hacker code. All from the admin's IP/browser (same user agent), and too close together to be human (i.e. obviously scripted). It's all the same IP and browser session, which is confirmed as the site owner's ISP.
> 
> My inference from that is that the site owner, at 02:52, went to do other things, leaving the browser tab open. They got infected with a virus (or perhaps already were), and that virus hunted for open browser sessions logged-in to wp-admin, and used those sessions to infect the WP site.
> 
> That's all technically do-able. But I've not previously heard of a virus (the customer has a Mac, and was using Safari), that does this. Is this a new thing?
> 
> David
> 
> -- 
> UpdraftPlus - best WordPress backups - http://updraftplus.com
> WordShell - WordPress fast from the CLI - http://wordshell.net
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list