Identification & causes: everything you need to know 👇

Last week, I revealed on LinkedIn widespread piracy among owners of WordPress sites hosted by o2switch. In our capacity as WordPress security experts, and thanks to an investigation with a number of affected and unaffected colleagues, we have been able to find out more.

Updated 31/07/2024 - Summary

According to an internal source, the hosting provider is not really to blame. The hypothesis of inadequate maintenance of the pirated sites is therefore still favoured. Again according to this internal source, the resources put in place by the host to determine the precise origin of the problem are remarkable (a few examples were given to me - I approve of the strategy). Finally, even if the number of sites affected may seem high, this must be put into perspective with o2switch's large customer base: the real impact would remain very limited in proportion and the vast majority of customers should not be affected by this specific problem.

What's more, on the evening of 30/07/2024, o2switch did something remarkable and very rare in the world of large hosting providers, by cleaning up the hack on the affected sites. It was a courageous move that surprised me coming from a hosting company. Indeed, the biggest hosting companies tend to have the opposite habit, i.e. to let customers sort things out when the problem comes from the end sites themselves. The host's investment is real here and earns my utmost respect.

When it comes to security, the most important thing is prevention: maintain your site with automatic updates, good backups and don't forget to use the latest compatible versions of PHP. If you need any help with this, it's my speciality 😉

📄 How the hack works

The hack redirects mobile users to fraudulent sites, particularly related to the Ukraine/Russia war, via a shortener URL hosted in the United Arab Emirates.

Technically, it consists of injecting obfuscated JavaScript code into all the WordPress posts on the site. It is therefore loaded into pages and posts and sometimes into other plugins such as cookie plugins, user opinion plugins, etc.

Here's an overview of the pirate code after de-obfuscation, so that even if you don't speak the language you can understand that the action takes place when you click and that a random URL is selected according to the «UserAgent», i.e. the browser used:

Additional information 31/07/2024

The request making the hack could be a simple POST request on the index.php file of the site, as a log suggests, which seems to correspond to an effective hack from an American IP (IP and site masked):

Jul-2024:213287:199.195.252 [HIDDEN] - - [27/Jul/2024:20:10:59 +0200] "POST /index.php?s=captcha HTTP/1.1" 200 102292 "https://www.[HIDDEN].en/index.php?s=captcha" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224"

Here we see a request of 102292 bytes made on the index, which is 100x higher than the usual requests of around 1000 bytes. Especially as this site has no Captcha... What's disturbing is that the request results in a code 200, which means that the request is accepted and processed without error, whereas a visit to this URL should instead result in a 404 (Not Found) error.

🔍 Identification

The hack is sometimes poorly inserted into the articles and is displayed as text in the body of the pages instead of being executed.
Most of the time it is invisible, you can check if your site is affected by searching for «_0x365b», or «0x3023», or «function _0x», via the inspector in your developer console when you visit the site, or via a search in phpMyAdmin.
Eset and Avast antivirus software block access to affected sites
Update 31/07/2024 - One of the affected sites is not visible via the developer console. Instead, you need to use the «curl» command line tool to observe the malicious code. This may be due to the site cache.

Here is an example of the pirate code as seen from the developer console:

🌐 Distribution of the hack

By searching for the pattern of the hack on Google and Bing, I found a large number of infected sites. I contacted all the site owners to alert them, advise them to contact their service provider and offer my help if necessary.

Out of 40 domains affected, found in France and Belgium, only 2 are not with o2switch - update 30/07/2024: Some sites at OVH, Hostinger and other hosting providers have also been affected, but this is rarer at the moment.
Other foreign server providers are affected, but I've found fewer than in France.
This suggests a targeted attack on sites present on o2switch IPs, which the hacker would have found via public lists that reference this. This type of attack can target any web host that can do absolutely nothing about it. That's why you need to be proactive in your security.

💡 Causes still uncertain

Here's what we were able to see and deduce by cross-checking information between colleagues:

As the hack is insidious, many are not diagnosed and detected quickly, but the earliest occurrence appears to have taken place in May - the year of the hack. update 30/07/2024 potentially in July
This does not affect a specific plugin or theme
The Tiger plugin from o2switch doesn't seem to be the cause of the problem either, as sites without this plugin are affected.
The sites affected generally appear to be less well maintained than others, but this is the case for most sites, and sites that are fairly well monitored (perhaps not well enough) are also affected.
The flaw exploited may have originated in the WordPress core if it was not updated quickly enough.
This may be due to the use of an obsolete PHP version defined by the hosting manager (end customer).
It's possible that the presence of a second WordPress instance (a dev instance, for example) on the hosting, which isn't up to date, could affect the main instance, due to a lack of isolation (it's the same hosting, the same system user, the same rights, and there doesn't seem to be an open_basedir rule to restrict the directory at PHP level at o2switch).
This does not affect the customers of a specific o2switch server, they are spread over several shared servers, and some servers are not affected at all, suggesting a marginal concern (so no server or global host intrusion).
There is a tiny probability that an intrusion or a more global hosting flaw has occurred (for example a flaw in a system package that allows hacking), but we have no evidence to verify this and insofar as o2switch has not reported anything, it is more reasonable to think that the problem comes from the end application (WordPress) or the version of PHP used by the end customer.
- Update 29/07/2024 Finally, it is possible that a Apache web server vulnerability was exploited, either when it had not yet been properly corrected, or because o2switch was too late in updating its software versions. The dates seem to coincide for the most recent hacks. Here again, there is no certainty without an official announcement from the hosting provider.
- Update 31/07/2024 Des vulnerabilities in sub-versions of PHP, particularly in certain revisions of PHP 8.0, could explain the hack. This is consistent with the requests observed that could cause a buffer overflow and enable code injection. If the host's PHP 8.0 sub-versions are not up to date, this would explain the possibility of the hack. Whatever the case, the customer is at fault if this is the cause, as PHP 8.0 is in any case obsolete and should no longer be used. It is no longer available for selection on LRob hosting.
There have been no hacks on LRob accommodation.

🔨 Hack repair

Repair involves cleaning up the database by deleting the lines corresponding to the hack pattern. Before any operation, back up your database. Website files do not seem to have been affected by this hack, but as with any hack, a full manual check is always recommended. Remember also to empty the various caches so that the malicious code is also removed.

Need help repairing your sites and staying secure in the future? Find out more about my WordPress repair and security as well as my secure WordPress hosting.

If you've got more info, share it in the comments or by PM!

Comments

6 responses to “[Résolu] Des clients o2switch ciblés par un hack WordPress insidieux – MAJ : L’hébergeur traite cela de manière exemplaire”

31 July 2024

Romain

Thank you Robin for your in-depth investigation!

It's time to pray to the digital gods:
O great Zeus, master of the clouds, you who control our data from your celestial servers, we beg you not to let our precious selfies and compromising documents fall into the wrong hands. May your titanium throne keep our secrets warm and our cats cute forever.

Log in to Reply
1. 31 July 2024
  
  Robin Labadie (LRob)
  
  Haha, thanks to you too for your help and the very useful information!
  If you'd like to be credited in the article it would be my pleasure. 👍
  
  Log in to Reply
31 July 2024

Odile

Thank you Robin for your help on mef74.fr
avast antivirus blocked the malware very effectively.
Apparently some people have had unwanted pop-up ads.
On IPAD (Safari) I was able to open the site but I didn't notice anything in particular.
As for the PHP version, it seems that Romain has version 8.1.29
Should I upgrade to 8.3.9? Is WordPress compatible?
If the hack comes from a POST to index.php, has one or more accounts been compromised?
and should passwords be changed?
In any case, I discovered your site and found it very interesting.
Odile

Log in to Reply
1. 1 August 2024
  
  Robin Labadie (LRob)
  
  It's a pleasure, Odile, and I'd especially like to thank your service provider, who was exemplary in his handling of the job. Extremely nice and interesting too.
  
  Thanks for the Avast info, I'll add it to the article.
  
  I haven't seen any popups myself, but redirects. The effect is virtually the same (unwanted content is displayed), but the terminology is important: in the case of a popup, it's in a new window or tab, in the case of a redirect, it's the current window that changes site when it arrives at the unwanted destination site. So to be 100% accurate, we're talking about a redirect here.
  
  The hack was checking whether it was on a smartphone (more likely to be an iPhone, but potentially also Android), so the iPad is not affected because it is a tablet. Again, this may seem subtle, but the difference counts.
  
  PHP 8.1 is still supported in terms of security. For sure if your site is perfectly up to date with only well supported scripts, you should be able to move to PHP 8.2 or 8.3 without any problem. The differences are relatively minor and most scripts are compatible. Just be careful if you're running an e-commerce site: you'll need to check in more detail, moving from version to version and calmly checking that everything is OK (by examining the site logs and testing the functionalities). Don't hesitate to make the change, and in the event of any problems it's easy to go back, at worst you'll have a page or plugin that won't work but no long-term impact on a version of PHP that's too recent, I've never seen that in 10 years of hosting.
  
  Finally, as far as I know, the hack did not compromise the sites' data or their user (and administrator) accounts. It simply added a nasty piece of code that redirected users when they visited the site via a smartphone. For good measure, the only password to change would be the MySQL password (technical intervention). This is because the hacker could potentially know it, as it seems to be necessary to perform the hack. The risk is limited because o2switch does not allow remote connection to databases, but this still allows vulnerabilities to be exploited if the hacker knows it and remembers it.
  
  We look forward to hearing from you.
  
  Log in to Reply
26 August 2024

Cécile

Hello Robin,
Great job!
I myself was affected and not helped too much by o2. I managed a bit on my own, especially as I was one of the first with an up-to-date PHP version (for a long time) and a regularly updated site, protected by Wordfence, with very strong mp's... I called in a dev I knew (but not a WP fan) who had actually managed to find this piece of badly inserted code since it seemed to be visible in hard copy on the pages. I restored the site to a fairly old version to make sure I didn't include anything in the restoration, but I have to admit it's quite stressful. Today, strange behaviour on another of my sites on another server has me fearing another hack (my site was in the bin !!!!). I'm in the process of checking everything again, but I don't know how they got in the first time, so it's hard to do much more, especially as I'm not really a techie.
That's it, I'll share my experience with others if you'd like, and I'm available if you'd like more information on what happened on my side.

Log in to Reply
1. 26 August 2024
  
  Robin Labadie (LRob)
  
  Hello Cécile,
  Thanks for your comment.
  Sometimes the code was visible, sometimes not (you had to open the developer console).
  For the 2nd site, we need to see whether the problem is the same or different.
  I'll send you an email to discuss it privately
  
  Log in to Reply

[Resolved] o2switch customers targeted by insidious WordPress hack - UPDATE: The hosting provider is handling this in an exemplary manner