first edit: ok I was able to find info on this 0day by searching the email address of the rogue admin user [email protected] – which brought up only 4 search results. ThePlusAddons plugin for elementor is to blame (I forgot to mention that I deleted this plugin as well during my investigation into my client’s site). Read more about the vulnerability here.
Also – its worth noting that searching for wp-strongs.php brought up over 1,000 results…
Two days ago I got a text from colleague of a mutual client: “Google Ads is throwing a fit saying the site is infected with malware. Can you take a look?”
Malware? “Weird, I’m on it,” I replied, thinking surely this was some sort of false-positive triggered by some directive or firewall rule somewhere. I jumped over to Sucuri’s Site Check checker thingy and plugged in the address and immediately was informed that the site was indeed infected.
“lol wtf?” I thought. But there wasnt much time to ponder, I got to work. I’ll spare you the harrowing 5 to 8 minutes of super-dramatic SEC OPS stuff I had to go through to find and eliminate the problem.
How to get rid of Wp-Strongs Malware
I’m not sure if I just caught this thing before it had a chance to wreak havoc on the database, or if its just bad malware, but nevertheless my search started off in the server logs.
I immediately noticed hundreds of POST requests to the user-new.php file. Weird. I hopped into the WordPress backend, users, and sure enough there was a new admin user. I deleted the rogue admin user, and changed permissions on all other users, plus forced a password update for each one.
Then I changed my password and enabled 2fa just for good measure. But really, the user security was clearly not the issue. But it never hurts to take those precautions.
Digging further into the logs, I noticed an unusual file name: wp-strongs.php. This appeared to be originating from the mu-plugins folder. Weird! So i went in and deleted it. Easy.
Its been a few days now and everything seems to be normal. Of course, I spent the next 12 hours pouring through every line in the database trying to find an additional backdoor or something. But nah. Nothin. Zilch. So far, anyways.
I’ll update this post with more info as I think about it. If I come across anything else regarding this wp-strongs.php shenanigans, I’ll update as well, but so far I haven’t been able to find any real info on this malware on the internet. I didn’t look that hard but you would think it would show up by searching the file name.
My clients website was hosted on WPEngine by the way. How it made its way into their “proprietary” must use plugins is beyond me. I wont point the finger at anyone just yet, though. We will see how this unfolds.