[Solved] o2switch customers targeted by insidious WordPress hack - UPDATE: Hosting company's exemplary handling of the situation

Identification & causes: everything you need to know 👇

Last week, I revealed on LinkedIn widespread piracy among owners of WordPress sites hosted by o2switch. In our capacity as WordPress security experts, and thanks to an investigation among a number of affected and unaffected colleagues, we have been able to find out more.

Updated 07/31/2024 - Summary

According to an internal source, the host is not really to blame. The hypothesis of insufficient maintenance of the pirated sites thus remains the preferred one. Again according to this internal source, the resources put in place by the host to determine the precise origin of the problem are remarkable (a few examples were given to me - I approve of the strategy). Finally, even if the number of sites impacted may seem high, this must be put into perspective with o2switch's large customer base: the real impact would remain very limited in proportion, and the vast majority of customers should not be impacted by this specific problem.

What's more, on the evening of 07/30/2024, o2switch made a remarkable gesture, very rare in the world of large hosting providers, by cleaning up the hack on the impacted sites. It's a courageous move, and one that surprised me from a hosting company. Indeed, larger hosting providers tend to have the opposite habit, i.e. to leave customers to fend for themselves when the problem comes from the end sites themselves. The host's investment is real here, and earns my utmost respect.

We remind you that in security, the most important thing is prevention: maintain your site with automatic updates, good backups and don't forget to use the latest compatible versions of PHP. If you need help with this, it's my speciality 😉

📄 How to hack

The hack redirects mobile users to fraudulent sites, notably related to the Ukraine/Russia war, via a URL shortener hosted in the United Arab Emirates.

Technically, it consists of injecting obfuscated JavaScript code into all WordPress posts on the site. It is therefore loaded into pages and posts, and sometimes into other plugins such as cookie plugins, user review plugins, etc.

Here's an overview of the pirate code after de-obfuscation, so that even if you don't speak the language, you'll understand that the action takes place on click and that a random URL is selected according to the "UserAgent", i.e. the browser used:

Additional information 07/31/2024

The request making the hack could be a simple POST request on the index.php file of the site, as a log suggests, which seems to correspond to an effective hack from an American IP (IP and site masked):

Jul-2024:213287:199.195.252.[HIDDEN] - - [27/Jul/2024:20:10:59 +0200] "POST /index.php?s=captcha HTTP/1.1" 200 102292 "https://www.[HIDDEN].en/index.php?s=captcha" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224"

Here we see a query of 102292 bytes made on the index, which is 100x higher than usual queries of around 1000 bytes. Especially as this site has no Captcha... What's disturbing is that the query results in a code 200, which means that the request is accepted, processed without error, whereas a visit to this URL should instead result in a 404 (Not Found) error.

🔍 Identification

  • The hack is sometimes poorly inserted in the articles and is displayed textually in the body of the pages instead of being executed.
  • Most of the time it is invisible, you can check if your site is impacted by searching for "_0x365b", or "0x3023", or "function _0x", via the inspector of your developer console when visiting the site, or via a search in phpMyAdmin.
  • Eset and Avast antiviruses block access to affected sites
  • Update 07/31/2024 - One of the affected sites can't be seen via the developer console; instead, you need to use the "curl" command-line tool to observe the malicious code. This may be due to the site cache.

Here is an example of the pirate code as seen from the developer console:

🌐 Distribution of the hack

Thanks to a search of the hack's pattern on Google and Bing, I found many infected sites. I contacted all the site owners to alert them, advise them to contact their service provider and offer my help if needed.

  • Out of 40 affected domains, found in France and Belgium, only 2 are not with o2switch - update 07/30/2024: Some sites at OVH, Hostinger and other hosting providers are also affected, but more rarely for the moment.
  • Other foreign server providers are affected, but I've found fewer than in France.
  • This suggests a targeted attack on sites present on o2switch IPs, which the hacker would have found via public lists that reference this. This type of attack can target any host, and there's absolutely nothing they can do about it. That's why you need to be proactive in your security.

💡 Causes still uncertain

Here's what we were able to see and deduce by cross-checking information between colleagues:

  • As the hack is insidious, many are not diagnosed and detected quickly, but the earliest occurrence seems to have taken place in May - update 07/30/2024 potentially in July
  • This does not affect a specific plugin or theme
  • So o2switch's Tiger plugin doesn't seem to be the cause of the problem either, as sites without this plugin are also affected.
  • Affected sites generally appear to be less well maintained than others, but this is the case for most sites; and sites that are fairly well monitored (perhaps not well enough) are also affected.
  • The vulnerability exploited may have originated in the WordPress core if it was not updated quickly enough.
  • This may be due to the use of an obsolete PHP version defined by the hosting manager (end customer).
  • It's possible that the presence of a second WordPress instance (a dev instance, for example) in the hosting, which may not be up to date, could rub off on the main instance, due to a lack of isolation (it's the same hosting, the same system user, the same rights, and there doesn't seem to be an open_basedir rule to restrict the directory at PHP level at o2switch).
  • This does not affect customers of a specific o2switch server, as they are spread over several shared servers, and some servers are not affected at all, suggesting a marginal problem (i.e. no server or global host intrusion).
  • There's a tiny probability that a more global intrusion or hosting flaw has occurred (e.g. a flaw in a system package that allows hacking), but we have no evidence to verify this, and since o2switch hasn't reported anything, it's more reasonable to think that the concern comes from the end application (WordPress) or the version of PHP used by the end customer.
  • - Update 29/07/2024 Finally, it is possible that a Apache web server vulnerability was exploited, either when it had not yet been properly corrected, or because o2switch was too late in updating its software versions. The dates seem to coincide for the most recent hacks. Here again, we can't be sure without an official announcement from the hosting provider.
  • - Update 31/07/2024 Des vulnerabilities in PHP sub-versions, notably in certain revisions of PHP 8.0, could explain the hack. This is consistent with observed requests that could cause buffer overflow and enable code injection. If the host's PHP 8.0 sub-versions are not up to date, this would explain the possibility of the hack. In any case, the customer is at fault if this is the cause, as we remind you that PHP 8.0 is in any case obsolete and should no longer be used at all. In fact, it is no longer available for selection on LRob hostings.
  • No hacks on LRob hostings.

🔨 Hack repair

Repair involves cleaning up the database by deleting the lines corresponding to the hack pattern. Prior to any operation, back-up your database. Website files don't seem to have been affected by this hack, but as with any hack, a full manual check is always recommended. Don't forget to clear the various caches of malicious code.

Need help repairing your sites and staying secure in the future? Find out more about my WordPress repair and security as well as my secure WordPress hosting.

If you've got more info, share it in comments or PM!

Share this post


Comments

6 responses to "[Solved] o2switch customers targeted by insidious WordPress hack - UPDATE: Hosting company's exemplary handling of the situation”

  1. Thank you Robin for your thorough investigation!

    Il est temps de prier les dieux du « numérique » :
    O great Zeus, master of the clouds, you who control our data from your celestial servers, we beg you not to let our precious selfies and compromising documents fall into the wrong hands. May your titanium throne keep our secrets warm and our cats cute forever.

    1. Haha, merci à toi aussi pour l’aide apportée et les infos très utiles !
      Si tu souhaites être crédité dans l’article ce sera avec plaisir. 👍

  2. Odile Avatar

    Thank you Robin for your help on mef74.fr
    l »antivirus avast a bloqué très efficacement le malware.
    Apparently some have had unwanted pop-up ads.
    Sur IPAD(safari) j’ai pu ouvrir le site mais je n’ai rien remarqué de particulier.
    As for the PHP version, it seems that Romain has version 8.1.29
    Should I upgrade to 8.3.9? Is WordPress compatible?
    Si le hack vient d’un POST sur index.php, est-ce que un ou des comptes sont compromis
    and should passwords be changed?
    En tout cas j’ai découvert ton site et l’ai trouvé très intéressant.
    Odile

    1. It's a pleasure, Odile, and I'd especially like to thank your service provider, who was exemplary in his handling of the project. Extremely nice and interesting too.

      Merci pour l’info d’Avast, je vais l’ajouter à l’article.

      Je n’ai pas vu de popups de mon côté mais des redirections. L’effet est quasiment le même (du contenu indésirable s’affiche), mais la terminologie est importante : dans le cas d’un popup, c’est dans une nouvelle fenêtre ou un nouvel onglet, dans le cas d’une redirection, c’est la fenêtre actuelle qui change de site en arrivant sur le site de destination indésirable. Donc pour être 100% exact, on parle ici de redirection.

      Le hack vérifiait s’il était sur smartphone (plutôt iPhone à priori, mais potentiellement aussi Android), donc l’iPad n’est pas concerné car c’est une tablette. Là aussi cela peut sembler subtile mais la différence compte.

      PHP 8.1 est encore supporté en termes de sécurité. Pour sûr si ton site est parfaitement à jour avec uniquement des scripts bien supportés, vous devriez pouvoir passer à PHP 8.2 ou 8.3 sans problème. Les différences sont relativement minimes et la plupart des scripts sont compatibles. Attention simplement en cas de e-commerce, il faut vérifier plus en détails, et plutôt passer de version en version et vérifier calmement si tout est OK (en examinant notamment les logs du site et en testant les fonctionnalités). N’hésite pas à faire le changement, et en cas de souci quelconque il est facile de revenir en arrière, au pire vous aurez une page ou un plugin qui ne fonctionnera pas mais pas d’impact long terme sur une version de PHP trop récente, je n’ai jamais vu ça en 10 ans d’hébergement.

      Enfin, de ce que je sais, le hack précis n’a du tout compromis les données des sites ou leurs compte utilisateurs (et administrateurs). Il a simplement ajouté un vilain bout de code qui faisait cette redirection lors de la visite via un smartphone. Par bonne mesure, le seul mot de passe à changer serait le mot de passe MySQL (intervention technique). Car potentiellement le hacker peut le connaître, celui-ci semblant nécessaire pour prodiguer le hack. Le risque est limité car o2switch ne permet pas la connexion distante aux bases de données, mais cela permet quand même d’exploiter des failles si le hacker le connaît et le garde en mémoire.

      Au plaisir d’échanger.

  3. Cécile Avatar
    Cécile

    Hello Robin,
    Great job!
    J’ai moi-même été impactée et pas trop aidée par o2. Je me suis un peu débrouillée toute seule d’autant que j’étais dans les premières avec une version PHP à jour (depuis longtemps) et un site régulièrement mis à jour, protégé par Wordfence, avec des mp très forts… J’ai fait appel à un dev de ma connaissance (mais pas fan de WP) qui avait effectivement réussi à trouver ce bout de code mal inséré puisque visible en dur sur les pages semble-t-il. J’ai restauré le site a une version assez ancienne pour être sûr de ne rien embarquer dans la restauration mais j’avoue que c’est assez stressant. Aujourd’hui un comportement étrange sur un autre de mes sites sur un autre serveur me fait craindre un nouveau piratage (mon site était à la poubelle !!!!). Je suis en train de tout vérifier à nouveau mais je ne sais pas comment ils ont fait les première fois pour entrer donc difficile de faire plus surtout que je ne suis vraiment pas tech.
    Voilà, je partage mon expérience pour d’autres si jamais et je suis dispo si tu souhaitais des infos complémentaires sur ce qui s’est passé de mon côté.

    1. Hello Cécile,
      Thanks for your comment.
      Sometimes the code was visible, sometimes not (you had to open the developer console).
      For the 2nd site, we'll have to see if the problem is the same or different.
      Je t’envoie un email pour en discuter en privé

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories

Specialized WordPress hosting

Convenient, free, fast and secure

WordPress websites

Much more than classic hosting, revolutionize the way you understand and manage WordPress.

WordPress Webmaster

Professional Webmastering by a WordPress Specialist in Orleans
Secure Hosting Included

WordPress websites
WordPress, Best CMS for 20 years

Entrust your site to a WordPress specialist, WordPress security expert

Nextcloud hosting

Maintenance included

Nextcloud
The best free collaborative suite

Work efficiently, control your data