• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Outdated Duplicator Plugin RCE Abused

September 14, 2018Peter GramantikEspanolPortugues

FacebookTwitterSubscribe

We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file.

These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin.

Duplicator Plugin
Versions lower than 1.2.42 of Snap Creek Duplicator plugin are vulnerable to a Remote Code Execution attack, where the malicious visitor is able to run any arbitrary code on the target site. More information about this vulnerability has been released by synacktiv.com.

A similar a vulnerability also exists on Duplicator (versions up to 1.2.30), as described here.

Scope & Impact

Despite the fact that this plugin has currently over 1 million active installations and the developers have reported over 10 million downloads, not all Duplicator users are at risk.

The following conditions must be met in order to enable the attack:

  • The installer.php file must have been generated by Duplicator plugin
  • The installer.php file must be left on the site’s root folder
  • The installer version must be older than 1.2.42

Generally speaking, the issue is due to incorrectly sanitized variables in the old version of the Duplicator plugin.

The first vulnerability was fixed in 2017, but we are still seeing these old versions of installer.php in site root folders. However, the second vulnerability was only fixed recently on August 24th, 2018.

In both cases, the vulnerable file is left on the server after using the plugin. What this means is that despite having the actual fixed plugin version installed, you could still have outdated and vulnerable installer.php in the root of your WordPress site. This file should be removed immediately.

It’s hard to tell why the wp-config.php files are removed or voided, breaking the site. We can only speculate that it was a failed attempt to tamper with it. In several related cases, there was also a variety of backdoors present on the attacked server.

Whether these backdoors are added by attackers abusing this vulnerability, or through different infection vectors needs to be confirmed. The only fix in case of a broken site is to recreate the wp-config.php file with the correct DB login credentials.

Mitigation

We’re constantly monitoring the situation looking for any malware using this infection vector and adding detection for any previously unseen malware coming through this “door”.

However, to eliminate the risk of attack, you can check your site’s root folder and remove the installer.php file. This is not a vital site file and just a leftover after site migration.

This is also our general advice for the future: Don’t store any old/unused files in your live site folder. This includes backups. Store them outside of your live site’s folder instead. Any inactive files are a potential entry point for the attacker and therefore considered a risk.

If you believe your website has been compromised by this attack, we can help. Stay safe.

Special thanks to Luke Leal for his contributions and research for this post.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, Website Security, WordPress SecurityTags: Hacked Websites, Website Backdoor, WordPress Plugins and Themes

About Peter Gramantik

Peter Gramantik is Sucuri’s Sr. Malware Researcher who joined the company in 2013. Peter’s main responsibilities include crafting signatures for new malware, and improving existing and researching new detection techniques. His professional experience covers 15 years of fighting malware. When Peter isn’t researching malware, you might find him doing technical and cave dives, riding his Harley Davidson, playing the guitar and singing in a band, or cooking BBQ for his family and friends. Connect with Peter on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.