On a compromised WordPress website, two distinct malicious files were discovered, each crafted to create a hidden, persistent backdoor. The first, a file named DebugMaster.php, was disguised as a harmless “DebugMaster Pro” plugin. Its contents were heavily obfuscated to hide its true purpose. The second file, wp-user.php, was found masquerading as a legitimate core WordPress file. Though simpler in its code, it was equally dangerous. These two files worked in concert to ensure attackers could maintain unauthorized control of the site, even if their other malware was removed. The main goal of both files was to guarantee that the attackers always had a way to access the site as an administrator.
The DebugMaster.php file functioned as a complex, stealthy backdoor. It created a hidden administrator account with hardcoded credentials and then took steps to conceal its existence from the site owner. It did this by removing itself from the standard plugin listings and filtering user queries to hide the newly created admin account. The file contained code that forced WordPress to create a new user named “help” with administrator privileges. This simple yet effective trick allowed attackers to slip in unnoticed. In addition to creating the user, the malware communicated with an external Command & Control (C2) server to send the details of the newly created admin account, including its username, password, email, and the server’s IP address. This information was encoded and sent to a remote endpoint, immediately giving the attackers access to the new credentials. The destination domain, kickstar-xbloom.info, has since been flagged and blocked by security vendors.
While the “DebugMaster Pro” file was a complex backdoor, the wp-user.php file was a simpler but more aggressive threat. Its main function was to ensure a specific admin user with a known password was always present. The script’s logic was robust: it would check for the existence of the “help” username. If the user was found, it would delete that account and immediately recreate it with the attacker’s chosen password. If the user didn’t exist, it would simply create a fresh “help” administrator account. This clever logic ensured that the attacker always had access, even if the site owner discovered and deleted the account. The next time the script executed, it would simply recreate the user, making it incredibly difficult for the site owner to regain full control.
Together, these two files formed a highly persistent and difficult-to-remove system for maintaining access. The DebugMaster.php file acted as the initial stealthy installer and communicator, while the wp-user.php file served as a relentless user re-creator. This dual-threat approach ensured that even if a site administrator managed to remove one file, the other could potentially remain and continue its malicious activity. By creating and maintaining a persistent admin account, the attackers could freely control the site. Their motives could range from injecting spam, redirecting visitors to malicious sites, or stealing sensitive information. The use of obfuscation and impersonation of legitimate files highlights a common tactic used by attackers to evade detection and maintain a long-term presence on a compromised server.
The discovery of these files underscores a critical aspect of modern web security: attackers are no longer just looking to breach a site once. They are actively deploying sophisticated backdoors to ensure they have a persistent and undetectable way to regain access. This makes cleanup efforts more challenging, as a simple removal of a single malicious file may not be enough. Security professionals must perform thorough audits to uncover all hidden components of an attack. The tactics seen here—including disguised files, communication with C2 servers, and user recreation—are common in advanced persistent threats (APTs) targeting content management systems like WordPress. They serve as a powerful reminder of the importance of regular security scans, file integrity monitoring, and the use of strong security plugins to protect against such multi-layered attacks.
Reference:
