We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file.
These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin.
Versions lower than 1.2.42 of Snap Creek Duplicator plugin are vulnerable to a Remote Code Execution attack, where the malicious visitor is able to run any arbitrary code on the target site. More information about this vulnerability has been released by synacktiv.com.
A similar a vulnerability also exists on Duplicator (versions up to 1.2.30), as described here.
Scope & Impact
Despite the fact that this plugin has currently over 1 million active installations and the developers have reported over 10 million downloads, not all Duplicator users are at risk.
The following conditions must be met in order to enable the attack:
- The installer.php file must have been generated by Duplicator plugin
- The installer.php file must be left on the site’s root folder
- The installer version must be older than 1.2.42
Generally speaking, the issue is due to incorrectly sanitized variables in the old version of the Duplicator plugin.
The first vulnerability was fixed in 2017, but we are still seeing these old versions of installer.php in site root folders. However, the second vulnerability was only fixed recently on August 24th, 2018.
In both cases, the vulnerable file is left on the server after using the plugin. What this means is that despite having the actual fixed plugin version installed, you could still have outdated and vulnerable installer.php in the root of your WordPress site. This file should be removed immediately.
It’s hard to tell why the wp-config.php files are removed or voided, breaking the site. We can only speculate that it was a failed attempt to tamper with it. In several related cases, there was also a variety of backdoors present on the attacked server.
Whether these backdoors are added by attackers abusing this vulnerability, or through different infection vectors needs to be confirmed. The only fix in case of a broken site is to recreate the wp-config.php file with the correct DB login credentials.
We’re constantly monitoring the situation looking for any malware using this infection vector and adding detection for any previously unseen malware coming through this “door”.
However, to eliminate the risk of attack, you can check your site’s root folder and remove the installer.php file. This is not a vital site file and just a leftover after site migration.
This is also our general advice for the future: Don’t store any old/unused files in your live site folder. This includes backups. Store them outside of your live site’s folder instead. Any inactive files are a potential entry point for the attacker and therefore considered a risk.
If you believe your website has been compromised by this attack, we can help. Stay safe.
Special thanks to Luke Leal for his contributions and research for this post.