According to a writeup published last week, there are hundreds if not thousands of websites that have been affected by a piece of malicious software that exploits unpatched vulnerabilities.
Researchers from security firm Dr.Web said that the Linux-based software installs a back door that leads to malicious websites. It's installed by exploiting already-patched vulnerabilities that website owners use to add live chat or metrics reporting to the coreWordPress content management system.
Dr.Web researchers said that if websites use outdated versions of add-ons, they are injected with malicious JavaScripts. Users are diverted to other sites when they click on an attacked page.
More than 1,300 sites contain the Javascript that powers the back door, according to this one search. It is1-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-6556 is1-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-6556 It shows the reach of the software.
The software that was used to exploit:
A malicious Javascript is downloaded from a remote server if one or more vulnerabilities are successfully exploited. When the page is loaded, this Javascript will be initiated first, regardless of the original contents of the page. Whenever users click anywhere on theinfecting page, they will be taken to the website the attackers need users to go to.
Links to a variety of malicious domains can be found in the Javascript.
lobbydesires[.]com letsmakeparty3[.]ga deliverygoodstrategies[.]com gabriellalovecats[.]com css[.]digestcolect[.]com clon[.]collectfasttracks[.]com
Count[.]trackstatisticsss[.]com