In December 2017, Sucuri, a well known security company, reported some malicious campaigns deployed against poorly protected and not updated sites running on WordPress. Security experts discovered that attackers injects malicious scripts that work as a keylogger on hacked sites stealing all the data that users bring into various forms. Of course the most interesting are eCommerce functionalities, allowing hackers to steal the payment details.
Also this malware scripts came along with Coinhive crypto miners, loading a copy of a legitimate ReconnectingWebSocket library.
It was assumed that the campaign was active at least since April 2017, and more than 5,500 websites were affected by hackers.
Today, Sucuri experts have submitted a new security report, according to which the attackers still not stop their hacking operation. Attackers still compromise WordPress websites through poor security or plug-ins, and also exploit bugs in older versions of WordPress.
WordPress Attacked with Keylogger
As we know, every WordPress site has a login form. So, hackers add this code that injects the cloudflare[.]solutions keylogger, hosted on a third-party domain, to the login page. On the frontend, hackers place a browser-based Coinhive miner, which uses all visitors computers mine for the Montero cryptocurrencies.
If first attacks placed their malware on the domain cloudflare.solutions, now the list of domains is filled with cdjs.online, cdns.ws and msdns.online. According to PublicWWW (1,2,3), scripts from these domains are downloaded for more than 2000 sites. However, not all sites are indexed by PublicWWW, so security researchers believe that there are actually more websites affected.
To clean up a website that has been compromised with this infection, you’ll need to remove the malicious code from theme’s functions.php, change all passwords and update all WordPress themes and plugins.