Attackers are scanning for new WordPress installations that haven’t been configured yet and compromising them and then using that access to take over entire sites.
The attacks have been going on since May and researchers have seen many IP addresses that typically are engaged in other attack campaigns joining in this one, too. Using automated tools, the attackers are scanning the web for a specific URL string that indicates a site has a new WordPress installation that has not been configured yet. The attackers then go through the guided setup process for WordPress, which involves selecting a default language, and then entering a username, password, and database location.
“If the attacker finds that URL and it contains a setup page, it indicates that someone has recently installed WordPress on their server but has not yet configured it. At this point, it is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account,” Mark Maunder of Wordfence said in a post explaining the attacks.
“If an attacker finds your fresh install, they can easily click through the first two steps and then enter their own database server information in this final step. Their database can be on their own server, and it doesn’t have to contain any data – it can simply be an empty database. They just need to get a working WordPress installation running on your site that they have admin access to. Once this step is complete, WordPress confirms that it can communicate with the database – in this case, the attacker’s database.”
Once that’s accomplished, the attacker can create an admin account on the WordPress server and then finish the installation. The attacker then has complete control of the installation and can upload malicious plugins, insert malicious code into pages, and take any other actions he chooses. At that point, it’s game over for the victim.
“Once an attacker can execute code on your site, they can perform a variety of malicious actions. One of the most common actions they will take is to install a malicious shell in a directory in your hosting account. At that point they can access all files and websites on that account. They can also access any databases that any WordPress installation has access to, and may be able to access other application data,” Maunder said.
A large percentage of WordPress installations are run at hosting providers, and Maunder recommended that providers scan their networks for installations that don’t have a config file. He also said hosting companies that have IDS systems set up should use those to look for MySQL traffic from their web servers to the public Internet.
“This may indicate an attacker has configured a WordPress site on your network using their own database on the Internet,” he said.