When going on to do some maintenance and updates I notced 3 new plugins called WordPress Researcher after upgrading to 4.3, (they may have been there before updating) After some research (not much info on it at all !!) I have found its exactly what I thought, some form of malware created by some arsehole. Basically they have managed to create 4 admin accounts and install these plugins.
From my research it seems like there is no specific way to find out whats been installed or tampered with and this has potentially infected several sites on the same server.
The plugin author is supposedly wordpressdotorg linking to wordpress.org
WordPress Researcher
Activate | Edit | Delete
WordPress research tool.
Version 2.2.4 | By wordpressdotorg | Visit plugin siteThe link below is from a blog post on this attack and the person who wrote it seems to think this is a zero-day attack.
http://tacit.livejournal.com/609713.html
Does anyone have any proper information on this? Especially how to COMPLETELY remove all traces and on protecting in the future. The post linked gives some info but I would like an official response.
I am going to be remove the 3 plugins and admin accounts but from what I understand these attackers are managing to log in to peoples websites after 1 single attempt without brute forcing.
Clearly there needs to be some additions to wordpress core to save us all. Many users probably wont even realise they have it...
could someone please help with this?
I also also seen that this attack was referenced to an issue with Jetpack and 2015 theme allowing this to happen?? We use jetpack but not 2015