Malicious Redirects Through Bogus Plugin

Recently we have been seeing a rash of WordPress website compromises with attackers abusing the plugin upload functionality in the wp-admin dashboard to redirect visitors and website owners to malicious websites. The payload is the following bogus plugin located here: ./wp-content/plugins/plugs/plugs.php At first glance these appear to be very unorthodox domains: hxxp://xn--o1aofd[.]xn--p1ai hxxp://xn--80ady8a[.]xn--p1ai hxxp://xn--80adzf[.]xn--p1ai hxxp://xn--g1aey4a[.]xn--p1ai hxxp://xn--g1asqf[.]xn--p1ai hxxp://xn--i1abh6c[.]xn--p1ai However, they are using what is known as “punycode”, where everything after the xn-- is unicode. Continue reading Malicious Redirects Through Bogus Plugin...