Outdated Eval PHP plugin for WordPress is being used by attackers to compromise websites and introduce hidden backdoors. This plugin, which has not been updated in over 10 years, is available in the WordPress plugin repository and is being used to inject malicious code into websites. According to Sucuri experts, the number of such attacks has increased significantly in April 2023, with an average of 4,000 malicious installs per day.
The main advantage of using a plugin over regular backdoor injections is that PHP Eval can be used to re-infect “cleaned” sites while still keeping the point of compromise relatively hidden. This tactic is used to deliver a payload to sites that gives attackers the ability to remotely execute code on a compromised resource. Malicious code is injected into the database of target sites, in particular, into the wp_posts table, making it difficult to detect a breach.
During attacks, hackers use a compromised or newly created administrator account to install Eval PHP, which allows them to embed PHP code using [evalphp] shortcodes. This code delivers a backdoor (3e9c0ca6bbe9.php) to the root of the site. The name of the backdoor may vary.
Sucuri has identified three IP addresses that are used to install the malicious Eval PHP plugin: 91.193.43[.]151, 79.137.206[.]177, and 212.113.119[.]6. To avoid detection, the backdoor does not use POST requests to communicate with its command and control server, but instead passes data through cookies and GET requests with no visible parameters.
Sucuri recommends delisting old and unsupported plugins that can be easily abused by attackers. The case of Eval PHP is not the only one, and it is important to take preventive measures to protect websites from malicious activity.
