avifenis/wordpress-malware-analysis

# wordpress-malware-analysis # WordPress Malware Analysis – wp-overhaul-or Backdoor ## Overview This repository documents the analysis of a malicious WordPress plugin identified during an incident response investigation. The plugin, disguised as a legitimate component named **"WP Overhaul Or"**, was found to contain backdoor functionality enabling stealthy persistence, remote execution, and potential full site compromise. This project demonstrates skills in: - Web application security analysis - WordPress incident response - Malware behavior identification - IOC extraction and documentation - Detection and remediation strategies ## Threat Summary The analyzed plugin exhibits multiple malicious behaviors: - Hidden plugin execution and stealth mechanisms - Unauthenticated AJAX-based execution endpoints - Obfuscated payload loading routines - Potential administrative privilege escalation ## Key Findings ### Stealth / Evasion - Plugin removes itself from WordPress admin visibility - Hooks into internal plugin listing functions ### Remote Execution (RCE vector) - Unauthenticated AJAX endpoint registered via: - `wp_ajax_nopriv_ove_or` ### Obfuscation - Custom decoding function used to reconstruct hidden payload paths - Dynamic code execution via `require_once` ### Persistence - Designed to remain hidden while maintaining execution capability ## Potential Impact If deployed in a real environment, this malware could result in: - Full remote code execution (RCE) - Creation of unauthorized administrator accounts - Persistent site compromise - Installation of additional backdoors - Data theft or website defacement ## Indicators of Compromise (IOCs) - `/wp-content/plugins/wp-overhaul-or/wp-overhaul-or.php` - Function: `xxc()` (obfuscation layer) - Function: `tyd_ajax_handler()` (execution handler) - Hook: `wp_ajax_nopriv_ove_or` - Hooks: `all_plugins`, `pre_current_active_plugins` ## Detection Strategy This malware can be detected through: - Comparing filesystem plugins vs WordPress admin UI - Searching for unauthenticated AJAX endpoints (`wp_ajax_nopriv_`) - Identifying obfuscated PHP patterns (e.g. `chr()`, `ord()`, string reconstruction loops) - Monitoring unexpected admin users or privilege changes ## Remediation Recommended mitigation steps: 1. Remove malicious plugin files completely 2. Restore WordPress core from trusted source 3. Rotate all credentials (WP, FTP, database) 4. Audit: - `/wp-content/mu-plugins/` - `wp-config.php` - `.htaccess` 5. Install Web Application Firewall (WAF) 6. Review all admin users and sessions ## Skills Demonstrated - Incident Response (IR) - Malware Analysis (PHP / WordPress) - Web Security Testing - Backdoor detection - IOC extraction - Defensive security documentation ## Disclaimer This repository contains **sanitized and non-operational analysis** of malicious behavior for educational and defensive security purposes only. No functional exploit code is included. ## 📁 Repository Structure