Attack on WordPress based websites through Duplicator files
In recent hours, on many pages based on WordPress, instead of the homepage there was a screen for the installation of this CMS. The problem was the lack of the wp-config.php file, which was removed.
On social networks, posts about disappearing WordPress files started to appear.
After analysis on several servers, the vector of the attack were the files left after page migration using the Duplicator plugin. Example of an attack log on a website:
184.108.40.206 - - [06/Sep/2018:13:22:24 +0000] "POST /installer.php HTTP/1.1" 200 497 "example.pl/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" 220.127.116.11 - - [06/Sep/2018:13:22:24 +0000] "POST /installer-backup.php HTTP/1.1" 200 497 "example.pl/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" 18.104.22.168 - - [06/Sep/2018:13:22:25 +0000] "GET /wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" 22.214.171.124 - - [06/Sep/2018:13:22:26 +0000] "GET /wp-content/uploads/wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
An attacker using the left file installer.php (or installer-backup.php) is able to upload e.g. Trojan horses to the server and gain access to the files on the server and database. This is a Remote Code Execution error, which was also confirmed by Wordfence.
The vulnerability itself does not exist in the Duplicator plugin, but is in files that are generated to move the page to another server.
By passing the value of action_ajax=3 in the POST parameter, the attacker is able to bypass the file verification window and overwrite it wp-config.php.
In the next step, simply visit the attacked page to read the wp-config.php file, which already has malicious code.
What do attackers have access to?
If your server was cluttered, and what’s worse, the files created by Duplicator during website migration, the attacker has access to all data related to your website.
Sample files left after page migration using Duplicator:
The zip file contains a copy of all files on the a sql page, the database. After migration, all above mentioned files should be deleted.
How to protect yourself and what to do?
If an archive created by Duplicator has been downloaded, the attacker should be considered to have access to the database and files on the website. First of all, you should restore the page from backup and change all passwords related to it.
After migrating a page using Duplicator, delete all of its files. The plugin itself allows you to do this immediately after logging in to the WordPress admin panel.
Click on the link: Remove installation Files Now! It is still worth checking if all installation files have actually been removed. In case of the attack described above, it could have been such that the files were not deleted due to an error in the plugin.
On our servers, these files have been deleted for security reasons.
If you have stored data for various services such as mail systems, newsletter data, etc. in WordPress, you also need to change your passwords there.
Check other blog postsSee all blog posts
- Read more
Once reserved exclusively for European public institutions, it is now one of the most commonly registered domains worldwide! For several years .eu domain has been experiencing dynamic growth not only in its popularity but also in the number of technologies implemented to ensure security and efficiency. Check out why you should already consider buying a…
- Read more
When you buy a hosting or a server from us, we will give you a technical domain, which may turn out to be a perfect testing ground for you. Wondering if you should use a technical domain? What is a technical domain anyway and what are its advantages and disadvantages? Let’s start from the beginning,…
- Read more
Many clients of hosting companies are mistakenly convinced that a hosting provider will solve their problems and take care of their crucial issues, while maintaining their website hosted on their servers. (Un)fortunately, that doesn’t work that way. What are the things your hosting won’t do for you? It won’t do the dishes, design a website,…