Called WP-Base-SEO, the soft is a forgery of a legitimate search engine optimization plugin, called WordPress SEO Tools, security firm SiteLock writes.
According to them, at first glance, the file appears to be legitimate, including a reference to the WordPress plugin database and documentation of how it works exactly. A closer look, however, reveals that the plugin has a malicious intent in the form of a base64 encoded PHP eval request.
Eval is a PHP function that executes arbitrary PHP code and it is frequently used for malicious purposes. It has become so abused, in fact, that php.net recommends against using it.
The malicious wp-base-seo plugin’s directory holds two files. One of them, wp-sep.php uses different function and variable names depending on the install. The second, wp-seo-main.php uses native WordPress hook functionality to attach the eval request to the header of the website’s theme.
At this point, the attackers have back-door access and can force sites to do what they desire.
Researchers have observed multiple sites that have been infected by the malware, but researching the Internet for the plugin name reveals no information. This likely suggests that this particular malware has gone largely undetected until now.
Submitted by: Arnfried Walbrecht