Nestor Angulo de Ugarte: The strange case of malicious Favicons [WCGVA 2022] [en]

Live-blogging notes, may contain errors! WordCamp Geneva 2022

A story about being hacked. Clean-up team (blue team).

A few concepts to get on the same page.

Two types of companies, those who have been hacked, and those who don’t yet know they have been hacked.

Hackers (curious person who likes to go beyond limits or conventions) vs. cyberterrorists (computer hacker, aligned to enrich himself in a zero-sum game situation = the bad guy).

How a WP site is infected: there is a vulnerability, somebody discovers it and creates and exploit, injects it (final code; backdoor = worse scenario). => spam, botnode, etc.

Targets: users, database, content, infrastructure, bot net, reputation.

Some facts:

  • site hacking is almost never client-oriented (98%)
  • almost always happens due to deficient monitoring/maintenance
  • a SSL certificate is not an anti-hacking shield
  • patches and security updates almost always appear after hacking exploits
  • errare humanum est
  • security will never be 100%

What measures do we have for infected sites?

  • reactive (incident response), when something bad has always happened – pain mitigation
  • proactive, before anything happens (analysis and monitoring) – risk mitigation

In this case: incident response. Identifying an attack quickly, minimising effects, containing damage… We’ll see how Nestor discovered what hat happened and what he did.

WordPress install in which we can see a few weirdly named folders and a file Scenario: spammed site. SEO affected, removed Google Rank ?, rapid reinfection. Viagra ads on site. Then you get warnings on the site… not fun.


  • no WAF (web application firewall) for this website
  • tools cleaned spam and malware in plugins and root folder
  • probable vector of infection, outdated plugin (no forensic analysis at this point)
  • integrity analysis shows some core files are modified! (md5 hashes of WP core files/folders) – using WP API

=> index.php, contains an @include to a weird favicon somewhere in a theme. Uses “$ php -a” and unphp. It’s base64 code. Runtime semphore.

Actually the real backdoor was in the comments of the PHP code. can be useful to make things readable. (slide with various useful tools).


The favicon was in fact a backdoor to connect to a remote server => turning the website into a bot node. 0day ability. Different options included (spam e.g.), tracking of infected sites, bot net dashboard…

Main question: how does reinfection happen? via a cron job in a user directory (wget), get a file from a malicious domain, make it executable, run the sh script, and there we go.

Final advice: install proactive measures!

  • reduce admins, plugins, and themes (least privilege rule)
  • use password manager, change regularly
  • have backups and validate them!
  • do your updates (remember: patches come after exploits)
  • monitor your site ( & file integrity scanner)
  • install a WAF (web application firewall)

Invest in hosting AND security.

WAF: can be external or internal. Wordfence has a WAF. Analyses traffic. Internal can use up ressources. With an external one, the traffic has to pass through it. Sounds like the Star Trek transporter decontamination.

Also published on Medium.

Leave a Reply

Your email address will not be published. Required fields are marked *