[Solved] o2switch customers targeted by insidious WordPress hack - UPDATE: Hosting company's exemplary handling of the situation

29/07/2024

Author:

Linux System Administrator (Debian & Web Hosting Specialist) | WordPress Expert | WordPress Host | WordPress Webmaster

Identification & causes: everything you need to know 👇

Last week, I revealed on LinkedIn widespread piracy among owners of WordPress sites hosted by o2switch. In our capacity as WordPress security experts, and thanks to an investigation among a number of affected and unaffected colleagues, we have been able to find out more.

Updated 07/31/2024 - Summary

According to an internal source, the host is not really to blame. The hypothesis of insufficient maintenance of the pirated sites thus remains the preferred one. Again according to this internal source, the resources put in place by the host to determine the precise origin of the problem are remarkable (a few examples were given to me - I approve of the strategy). Finally, even if the number of sites impacted may seem high, this must be put into perspective with o2switch's large customer base: the real impact would remain very limited in proportion, and the vast majority of customers should not be impacted by this specific problem.

What's more, on the evening of 07/30/2024, o2switch made a remarkable gesture, very rare in the world of large hosting providers, by cleaning up the hack on the impacted sites. It's a courageous move, and one that surprised me from a hosting company. Indeed, larger hosting providers tend to have the opposite habit, i.e. to leave customers to fend for themselves when the problem comes from the end sites themselves. The host's investment is real here, and earns my utmost respect.

We remind you that in security, the most important thing is prevention: maintain your site with automatic updates, good backups and don't forget to use the latest compatible versions of PHP. If you need help with this, it's my speciality 😉

📄 How to hack

The hack redirects mobile users to fraudulent sites, notably related to the Ukraine/Russia war, via a URL shortener hosted in the United Arab Emirates.

Technically, it consists of injecting obfuscated JavaScript code into all WordPress posts on the site. It is therefore loaded into pages and posts, and sometimes into other plugins such as cookie plugins, user review plugins, etc.

Here's an overview of the pirate code after de-obfuscation, so that even if you don't speak the language, you'll understand that the action takes place on click and that a random URL is selected according to the "UserAgent", i.e. the browser used:

Additional information 07/31/2024

The request making the hack could be a simple POST request on the index.php file of the site, as a log suggests, which seems to correspond to an effective hack from an American IP (IP and site masked):

Jul-2024:213287:199.195.252.[HIDDEN] - - [27/Jul/2024:20:10:59 +0200] "POST /index.php?s=captcha HTTP/1.1" 200 102292 "https://www.[HIDDEN].en/index.php?s=captcha" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; InfoPath.3; .NET4.0C; .NET4.0E) chromeframe/8.0.552.224"

Here we see a query of 102292 bytes made on the index, which is 100x higher than usual queries of around 1000 bytes. Especially as this site has no Captcha... What's disturbing is that the query results in a code 200, which means that the request is accepted, processed without error, whereas a visit to this URL should instead result in a 404 (Not Found) error.

🔍 Identification

The hack is sometimes poorly inserted in the articles and is displayed textually in the body of the pages instead of being executed.
Most of the time it is invisible, you can check if your site is impacted by searching for "_0x365b", or "0x3023", or "function _0x", via the inspector of your developer console when visiting the site, or via a search in phpMyAdmin
Eset and Avast antivirus software block access to affected sites
Update 07/31/2024 - One of the affected sites can't be seen via the developer console; instead, you need to use the "curl" command-line tool to observe the malicious code. This may be due to the site cache.

Here is an example of the pirate code as seen from the developer console:

🌐 Distribution of the hack

Thanks to a search of the hack's pattern on Google and Bing, I found many infected sites. I contacted all the site owners to alert them, advise them to contact their service provider and offer my help if needed.

Out of 40 affected domains, found in France and Belgium, only 2 are not with o2switch - update 07/30/2024: Some sites at OVH, Hostinger and other hosting providers are also affected, but more rarely for the moment.
Other foreign server providers are affected, but I've found fewer than in France.
This suggests a targeted attack on the sites present on o2switch IPs, which the hacker would have found via public lists that reference this. This type of attack can target any host, and there's absolutely nothing they can do about it. That's why you need to be proactive in your security.

💡 Causes still uncertain

Here's what we were able to see and deduce by cross-checking information between colleagues:

As the hack is insidious, many are not diagnosed and detected quickly, but the earliest occurrence seems to have taken place in May - update 07/30/2024 potentially in July
This does not affect a specific plugin or theme
So o2switch's Tiger plugin doesn't seem to be the cause of the problem either, as sites without this plugin are also affected.
Affected sites generally appear to be less well maintained than others, but this is the case for most sites; and sites that are fairly well monitored (perhaps not well enough) are also affected.
The vulnerability exploited may have originated in the WordPress core if it was not updated quickly enough.
This may be due to the use of an obsolete PHP version defined by the hosting manager (end customer).
It's possible that the presence of a second WordPress instance (a dev instance, for example) in the hosting, which may not be up to date, could rub off on the main instance, due to a lack of isolation (it's the same hosting, the same system user, the same rights, and there doesn't seem to be an open_basedir rule to restrict the directory at PHP level at o2switch).
This does not affect customers of a specific o2switch server, as they are spread over several shared servers, and some servers are not affected at all, suggesting a marginal problem (i.e. no server or global host intrusion).
There's a tiny probability that a more global intrusion or hosting flaw has occurred (e.g. a flaw in a system package that allows hacking), but we have no evidence to verify this and since o2switch hasn't reported anything, it's more reasonable to think that the concern comes from the end-application (WordPress) or the version of PHP used by the end-customer.
- Update 29/07/2024 Finally, it is possible that a Apache web server vulnerability was exploited, either when it had not yet been properly corrected, or because o2switch was too late in updating its software versions. The dates seem to coincide for the most recent hacks. Here again, we can't be sure without an official announcement from the hosting provider.
- Update 31/07/2024 Des vulnerabilities in PHP sub-versions, notably in certain revisions of PHP 8.0, could explain the hack. This is consistent with observed requests that could cause buffer overflow and enable code injection. If the host's PHP 8.0 sub-versions are not up to date, this would explain the possibility of the hack. In any case, the customer is at fault if this is the cause, as we remind you that PHP 8.0 is in any case obsolete and should no longer be used at all. In fact, it is no longer available for selection on LRob hostings.
No hacks on LRob hostings.

🔨 Hack repair

Repair involves cleaning up the database by deleting the lines corresponding to the hack pattern. Prior to any operation, back-up your database. Website files don't seem to have been affected by this hack, but as with any hack, a full manual check is always recommended. Don't forget to clear the various caches of malicious code.

Need help repairing your sites and staying secure in the future? Find out more about my WordPress repair and security as well as my secure WordPress hosting.

If you've got more info, share it in comments or PM!

Share this post

Comments

6 responses to "[Solved] o2switch customers targeted by insidious WordPress hack - UPDATE: Hosting company's exemplary handling of the situation”

Romain

31/07/2024

Thank you Robin for your thorough investigation!

It's time to pray to the digital gods:
O great Zeus, master of the clouds, you who control our data from your celestial servers, we beg you not to let our precious selfies and compromising documents fall into the wrong hands. May your titanium throne keep our secrets warm and our cats cute forever.

Reply
1. Robin Labadie (LRob)
  
  31/07/2024
  
  Haha, thanks to you too for the help and the very useful info!
  If you'd like to be credited in the article it would be my pleasure. 👍
Odile

31/07/2024

Thank you Robin for your help on mef74.fr
avast antivirus blocked the malware very effectively.
Apparently some have had unwanted pop-up ads.
On IPAD(safari) I was able to open the site but I didn't notice anything in particular.
As for the PHP version, it seems that Romain has version 8.1.29
Should I upgrade to 8.3.9? Is WordPress compatible?
If the hack comes from a POST on index.php, are one or more accounts compromised?
and should passwords be changed?
In any case I discovered your site and found it very interesting.
Odile

Reply
1. Robin Labadie (LRob)
  
  01/08/2024
  
  It's a pleasure, Odile, and I'd especially like to thank your service provider, who was exemplary in his handling of the project. Extremely nice and interesting too.
  
  Thanks for the Avast info, I'll add it to the article.
  
  I haven't seen any popups myself, but redirects. The effect is virtually the same (unwanted content is displayed), but the terminology is important: in the case of a popup, it's in a new window or tab, in the case of a redirect, it's the current window that changes site when arriving at the unwanted destination site. So, to be 100% exact, we're talking about a redirect here.
  
  The hack was checking whether it was on a smartphone (more likely an iPhone, but potentially also Android), so the iPad isn't affected because it's a tablet. Again, this may seem subtle, but the difference counts.
  
  PHP 8.1 is still supported in terms of security. For sure, if your site is perfectly up to date with only well-supported scripts, you should be able to upgrade to PHP 8.2 or 8.3 without any problem. The differences are relatively minor and most scripts are compatible. If you're running an e-commerce site, however, you'll need to check in more detail, moving from version to version and calmly checking that everything's OK (by examining site logs and testing functionalities). Don't hesitate to make the change, and in the event of any problem, it's easy to go back. In the worst case, you'll have a page or plugin that doesn't work, but no long-term impact on a PHP version that's too recent - I've never seen that in 10 years of hosting.
  
  Finally, as far as I know, the precise hack didn't compromise the sites' data or their user (and administrator) accounts at all. He simply added a nasty piece of code that did this redirection when visiting via a smartphone. For good measure, the only password to change would be the MySQL password (technical intervention). This is because the hacker could potentially know it, as it seems necessary to perform the hack. The risk is limited, as o2switch does not allow remote connection to databases, but this can still be used to exploit loopholes if the hacker knows it and remembers it.
  
  We look forward to hearing from you.
Cécile

26/08/2024

Hello Robin,
Great job!
I myself was affected and not much helped by o2. I managed a bit on my own, especially as I was one of the first with an updated PHP version (for a long time) and a regularly updated site, protected by Wordfence, with very strong mp's... I called in a dev I knew (but not a WP fan) who had actually managed to find this piece of badly inserted code since it seemed to be visible in hard copy on the pages. I restored the site to a fairly old version to make sure I didn't include anything in the restoration, but I have to admit it's pretty stressful. Today, strange behavior on another of my sites on another server has me fearing another hack (my site was in the trash !!!!). I'm checking everything again, but I don't know how they got in the first time, so it's hard to do much more, especially as I'm really not a techie.
I'll share my experience with others if you'd like, and I'm available if you'd like more information on what happened on my side.

Reply
1. Robin Labadie (LRob)
  
  26/08/2024
  
  Hello Cécile,
  Thanks for your comment.
  Sometimes the code was visible, sometimes not (you had to open the developer console).
  For the 2nd site, we'll have to see if the problem is the same or different.
  I'll send you an email to discuss it privately