Do not trust those fake domain confirmation emails
If you ever receive a letter any kind that requests to create, download or install some PHP code on your website you must ignore it
Recently some of my clients received strange email letters from their domain registrars. Those letters contain a request for confirmation domains their own. I checked one of those letters and quickly identified it as a fraudulent letter. All the letters have an identical pattern and a request to create a PHP file in the root folder on a website with a specific name and the given content. Needless to say that suggested content for that PHP file contains malicious code known as backdoor code. This kind of code allows the attacker to execute any action they want on a victim’s website.
If you ever receive a letter any kind that requests to create, download or install some PHP code on your website you must ignore it. No exceptions. Even if the letter comes from the president or your mom.
Fraudulent letters appear legitimate because of legitimate From email address. But it is an email spoofing. You don’t expect to receive a fake email from your friends or your domain registrar. Right? No! Any email letter can contain any From email address. The vast majority of email servers and email clients do not check or verify the sender address. So, you see it as a hacker wanted. You must not trust any email letter you’ve received from known sender if the letter contains a request for some suspicious action like installing code on your website or application on your computer.
Fake emails usually contain some of the following PHP lines.
FYI: base64_decode, eval and assert are well-known markers of suspicious or malicious PHP code.
See also: Plugin Inspector reveals security issues with other plugins
Last posts from WordPress security blog
- WP Cerber Security 7.2 July 9, 2018
- What Cerber Security Scanner scans and detects July 5, 2018
- Automated recurring scans and email reporting for WordPress July 3, 2018
- Some legitimate HTTP requests are being blocked June 18, 2018
- Configuring HTTP request exceptions for the antispam engine June 18, 2018