Attack on WordPress based websites through Duplicator files
In recent hours, on many pages based on WordPress, instead of the homepage there was a screen for the installation of this CMS. The problem was the lack of the wp-config.php file, which was removed.
On social networks, posts about disappearing WordPress files started to appear.
After analysis on several servers, the vector of the attack were the files left after page migration using the Duplicator plugin. Example of an attack log on a website:
220.127.116.11 - - [06/Sep/2018:13:22:24 +0000] "POST /installer.php HTTP/1.1" 200 497 "example.pl/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" 18.104.22.168 - - [06/Sep/2018:13:22:24 +0000] "POST /installer-backup.php HTTP/1.1" 200 497 "example.pl/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" 22.214.171.124 - - [06/Sep/2018:13:22:25 +0000] "GET /wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" 126.96.36.199 - - [06/Sep/2018:13:22:26 +0000] "GET /wp-content/uploads/wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
An attacker using the left file installer.php (or installer-backup.php) is able to upload e.g. Trojan horses to the server and gain access to the files on the server and database. This is a Remote Code Execution error, which was also confirmed by Wordfence.
The vulnerability itself does not exist in the Duplicator plugin, but is in files that are generated to move the page to another server.
By passing the value of action_ajax=3 in the POST parameter, the attacker is able to bypass the file verification window and overwrite it wp-config.php.
In the next step, simply visit the attacked page to read the wp-config.php file, which already has malicious code.
What do attackers have access to?
If your server was cluttered, and what’s worse, the files created by Duplicator during website migration, the attacker has access to all data related to your website.
Sample files left after page migration using Duplicator:
The zip file contains a copy of all files on the a sql page, the database. After migration, all above mentioned files should be deleted.
How to protect yourself and what to do?
If an archive created by Duplicator has been downloaded, the attacker should be considered to have access to the database and files on the website. First of all, you should restore the page from backup and change all passwords related to it.
After migrating a page using Duplicator, delete all of its files. The plugin itself allows you to do this immediately after logging in to the WordPress admin panel.
Click on the link: Remove installation Files Now! It is still worth checking if all installation files have actually been removed. In case of the attack described above, it could have been such that the files were not deleted due to an error in the plugin.
On our servers, these files have been deleted for security reasons.
If you have stored data for various services such as mail systems, newsletter data, etc. in WordPress, you also need to change your passwords there.
Check other blog postsSee all blog posts
- Read more
Many clients of hosting companies are mistakenly convinced that a hosting provider will solve their problems and take care of their crucial issues, while maintaining their website hosted on their servers. (Un)fortunately, that doesn’t work that way. What are the things your hosting won’t do for you? It won’t do the dishes, design a website,…
- Read more
My mind’s made up. You’ve had enough of the silly hosting or cosmic costs of its maintenance and finally you decide to move the site you’ve placed on WordPress. How to move WordPress to another server? What do you need to remember and how should you prepare for it? Migration of WordPress to another server…
- Read more
Google Workspace is probably the best business mail for your work. Great anti-spam filters, full control over your data, the fact you can choose a country where your data are stores, a calendar, Google Meets… these are only a fraction of what G Suite offers. Take a look at why you should consider switching to Google…