Recent days WordPress websites displaying unwanted banners at the bottom of the page which appears 15 seconds after browsing the website due to injecting the Cloudflare[.]solutions Scripts in function.php. that does not belong to Cloudflare.
It used to load this malicious script every time admin pannel logged in both front end and backend.
In this case, the second script contains cors.js which is injected in an encoded format and once it decoded we can see that there are a two cdnjs.cloudflare.com URLs with long hexadecimal parameters:
A domain name seems to be original Cloudfare URL but when we come down analyzing the https://cdnjs.cloudflare.com/ajax/libs/linter/linter.js ,it contains linterkey variables.
Further, analyze revealed that linter.js contains a real Payload in hexadecimal numbers after the question mark in the URLs.
According to sucuri, This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field.
This Payload has capable of performing the keylogging activities each and every time admin logging on their WordPress website.
Here using this WordPress Keylogger, both the username and the password were sent to the cloudflare[.]solutions server even before a user clicks on the “Login” button.
The worst part is if this flow has successfully executed in e-commerce based WordPress website then the hacker can able to access the payment related information.
Mitigation steps for this WordPress Keylogger
- Performing the Proper Pentesing for WordPress Website – Pentesting Checklist
- As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.
- Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack).
- Don’t forget to check your site for other infections too. Many sites with the Cloudflare.solutions malware also have injected coinhive cryptocurrency miner scripts.