Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago and last month we discussed another plugin that looks to be from the set of plugins. We recently have been seeing a lot of requests probing for usage of those plugins, though usually probing for only one of them instead of large group of them. We also recently had a request for yet another plugin that looks to be part of that set, Opti SEO, which like the others contains a remote code execution (RCE) vulnerability.

In the file /install.php the contents of the POST input “newins” is placed in the file /installed.php, which due to its .php extension will allow PHP code placed in the file to be executed when requested: [Read more]