8 comments

[ 1.2 ms ] story [ 32.2 ms ] thread
I've been hosting a handful of WordPress sites for friends for years. I thought my setup on a shared host was secure enough, until some of them got this Japanese keyword hack. It's a major pain to follow these directions to clean a site out. Enough of a pain that I've been rewriting the sites with another CMS / site builder, with hosting that I don't have to manage.
One of my websites was affected by this. I'm currently doing some work to de-obfuscate the php code.

https://github.com/shiragami/japanese-backdoor/blob/master/o...

Basically what it did: Create a htaccess file to redirect request. Respond differently if client is web-crawlers i.e. seo cloaking. Download a php backdoor. Rewrite sitemap.xml and robots.txt

I'm still not sure what exploit that it uses to gain access.

Probably a vulnerable PHP application (for example, outdated Wordpress plugin) or stolen admin's password.
I've seen this before, but always assumed it was because I'm in Japan - I had no idea it was a world-wide phenomenon.

Anyone know why it's specifically Japanese?

Maybe the creator is Japanese, or at least targeting Japanese shoppers.
I looked through the article in hope to learn about new vulnerability related to Unicode handling but it turned out just a normal vulnearbility in outdated PHP applications. It has no relation to Japanese language.
Comments like yours is the reason I read comments before articles.

Kudos for the service to all the servicemen.

I remember cleaning a couple of client's wordpress sites that were infected with this hack some years ago, during 2015 if I remember correctly, it was hard work. It seems many sites were infected with this kind of spam at the time.