WP Beacon
Audit #42 Malicious Closed by wp.org
Show full summary
A previously-undocumented SiteGuarding burner, surfaced by the clean-on-closure hunt and closed in the same 2026-04-07 wave that took down the two documented burners.
The backdoor. speedup-optimization.php defines speedup01_CopyTools(), which builds the target path ABSPATH.'/sjijtjejguarding_tojoljs.php' then str_replace("j","") — resolving to siteguarding_tools.php. It reads classes/tools.gzs, base64_decode()s it, and writes it to WordPress root. The decoded blob is siteguarding_tools.php v2.1 (dated 18 March 2025) — the Leaseweb-era backdoor: IP allowlist 198.7.59.150 / 198.7.59.167 / 198.7.59.168, SITEGUARDING_SERVER = http://www.siteguarding.com/ext/panel_api/index.php, the same embedded RSA private key as the v1.7 sample. The plugin also defines a SITEGUARDING_SPEEDUP firewall config constant (core/firewall.speedup.php / .ini).
Direct tie to audit #26. The pre-clean tree bundles an assets/image-optimizer-x/ directory — image-optimizer-x is @dalielsam's burner from audit #26. This links @charlycharm to the documented burner fleet, not merely to the shared backdoor code.
Shared TTP. The junk-character obfuscation (sjijtjejguarding + str_replace("j","")) is the same technique used by bytedefense (audit #44), which hides the domain as svitevguardvinvgv + str_replace("v",""). Same operator.
Why the IOC scanner missed it. The v2.1 backdoor lives inside classes/tools.gzs (base64), invisible to a .php IOC grep. Only SITEGUARDING_SPEEDUP was visible in PHP, and no rule keyed on it.
Exposure. ~100 active installs. The v2.1 siteguarding_tools.php may persist in WordPress root on sites that ran the plugin.
Site owners should remediate immediately. Plugin author: see the steps below to clear this label.
If you run speedup-optimization on your site
Verify your install matches the wp.org canonical version:
wp plugin verify-checksums speedup-optimizationA patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.
Or remove the plugin entirely:
wp plugin deactivate speedup-optimization
wp plugin delete speedup-optimizationPlugins under the same committer's SVN access
charlycharm holds push access to 1 plugin totalling 100 active installs.
IOCs extracted (3)
| Kind | Value | Confidence |
|---|---|---|
| code_pattern | SITEGUARDING_SPEEDUP |
high |
| code_pattern | speedup01_CopyTools |
high |
| filename | tools.gzs |
medium |
Audit #42 — speedup-optimization
- Plugin: speedup-optimization ("Speedup Optimization")
- Active installs: 100+ (at closure — recovered via Wayback 2026-03-16 snapshot)
- Event: #3163
recent_prt_intervention· medium · clean-on-closure hunt 2026-06-14 - Suspect committer / account: charlycharm (display "Speedora", joined 2020-08-05, empty profile)
- Pre-clean trunk: r3423234 (charlycharm, 2025-12-18)
- WP.org cleaning commit: r3500564 (frantorres, 2026-04-07 "Updating speedup-optimization")
- Closed on wordpress.org: 2026-04-07 (empty closed_reason — same day as audits #25/#26)
Summary
A previously-undocumented SiteGuarding burner, surfaced by the clean-on-closure hunt and closed in the same 2026-04-07 wave that took down the two documented burners.
The backdoor. speedup-optimization.php defines speedup01_CopyTools(), which builds the target path ABSPATH.'/sjijtjejguarding_tojoljs.php' then str_replace("j","") — resolving to siteguarding_tools.php. It reads classes/tools.gzs, base64_decode()s it, and writes it to WordPress root. The decoded blob is siteguarding_tools.php v2.1 (dated 18 March 2025) — the Leaseweb-era backdoor: IP allowlist 198.7.59.150 / 198.7.59.167 / 198.7.59.168, SITEGUARDING_SERVER = http://www.siteguarding.com/ext/panel_api/index.php, the same embedded RSA private key as the v1.7 sample. The plugin also defines a SITEGUARDING_SPEEDUP firewall config constant (core/firewall.speedup.php / .ini).
Direct tie to audit #26. The pre-clean tree bundles an assets/image-optimizer-x/ directory — image-optimizer-x is @dalielsam's burner from audit #26. This links @charlycharm to the documented burner fleet, not merely to the shared backdoor code.
Shared TTP. The junk-character obfuscation (sjijtjejguarding + str_replace("j","")) is the same technique used by bytedefense (audit #44), which hides the domain as svitevguardvinvgv + str_replace("v",""). Same operator.
Why the IOC scanner missed it. The v2.1 backdoor lives inside classes/tools.gzs (base64), invisible to a .php IOC grep. Only SITEGUARDING_SPEEDUP was visible in PHP, and no rule keyed on it.
Exposure. ~100 active installs. The v2.1 siteguarding_tools.php may persist in WordPress root on sites that ran the plugin.
Verdict
malicious
Attribution
SiteGuarding. Burner @charlycharm; image-optimizer-x asset bundling links to @dalielsam (#26). Cleaning commit by frantorres removed classes/tools.gzs (the v2.1 payload).
IOCs to extract
- kind: code_pattern, value: SITEGUARDING_SPEEDUP, confidence: high
- kind: code_pattern, value: speedup01_CopyTools, confidence: high
- kind: filename, value: tools.gzs, confidence: medium
Cleanup
Delete siteguarding_tools.php from WordPress root and webanalyze/siteguarding_tools.php; remove webanalyze/; block outbound to siteguarding.com, *.siteguarding.com, and 198.7.59.0/24. Follow the full SiteGuarding cleanup checklist.