Hackers Target Websites with Fresh WordPress Installs.
Within recent months SonicWall Threat Research Labs recently received reports of attackers targeting newly installed WordPress sites. Attackers search for the following phrases:
- Setup Configuration File
If both phrases exist, then it is possible that the site has WordPress installed but has not been configured properly. In fact, doing a Google search for the above, results in many vulnerable sites.
Once the attacker has control over the WordPress website running in the target server, the attacker can do any of the following:
- Use the WordPress website for hosting malware, exploit kits, etc.
- Use the WordPress website as a launching pad to attempt control of the server. This can be done by executing specially crafted PHP scripts.
If an attacker finds your fresh install, they can easily click through the first two steps and then enter their own database server information in this final step. Their database can be on their own server, and it doesn’t have to contain any data – it can simply be an empty database. They just need to get a working WordPress installation running on your site that they have admin access to.
Once this step is complete, WordPress confirms that it can communicate with the database – in this case, the attacker’s database:
Recommendations for Server Administrators and Hosting Providers
If you operate a server or a network of servers that provides WordPress hosting to customers, we recommend the following to mitigate this attack:
Scan your hosting accounts for WordPress installations that do not have a wp-config.php. These may be fresh installations that have not yet completed setup. If navigating to the base URL of the site redirects you to /wp-admin/setup-config.php then you have confirmation that setup is incomplete. We suggest you alert your customer they should either complete setup or remove the files.
If you have an IDS (intrusion detection system), you should consider monitoring traffic from your web servers to the open Internet for any MySQL traffic. This may indicate an attacker has configured a WordPress site on your network using their own database on the Internet.
If you have any other mechanisms in place to monitor or prevent connections from your web servers to arbitrary databases on the open Internet, we recommend you use those to mitigate this attack.