Why is it important: Earlier this week, WordPress plugin developer iThemes warned users about a vulnerability related to their BackupBuddy extension. The security hole leaves plugin users vulnerable to unauthorized access by attackers, giving them the opportunity to steal sensitive files and information. The vulnerability affects any sites using BackupBuddy 220.127.116.11 through 18.104.22.168. Users must update to version 8.7.5 to fix the hole.
According to iThemes researchers, hackers are actively exploitation vulnerability (CVE-2022-31474) on affected systems using certain versions of the BackupBuddy plug-in. The exploit allows attackers to view the contents of any WordPress-accessible file on an infected server. This includes those with sensitive information, including /etc/passwd, /wp-config.php, .my.cnf, and .accesshash. These files can provide unauthorized access to system user information, WordPress database settings, and even permissions to authenticate to the affected server as root.
Administrators and other users can take steps to determine if their site has been hacked. Authorized users can view affected server logs containing local-destination-id and /etc/passed or wp-config.php which return HTTP response code 2xxindicating a successful response.
WordPress Security Solution Developer Wordfence identified millions of attempts to exploit the vulnerability since August 26. According to Wordfence security researchers, users and administrators should check server logs for references to the aforementioned local destination ID folder and local download folder. PSA went on to list the top IP addresses associated with attack attempts, including:
- 22.214.171.124, 1,960,065 attacks blocked.
- 126.96.36.199, 482,604 attacks blocked.
- 188.8.131.52, 366,770 attacks blocked.
- 184.108.40.206, 344,604 attacks blocked.
- 220.127.116.11, 341,309 attacks blocked.
- 18.104.22.168, 320,187 attacks blocked.
- 22.214.171.124, 303,844 attacks blocked.
- 126.96.36.199 with 302,136 attacks blocked
- 188.8.131.52, 277,545 attacks blocked.
- 184.108.40.206, 211,924 attacks blocked.
Researchers at iTheme are offering compromised BackupBuddy users several steps designed to mitigate the consequences and prevent further unauthorized access. These steps include resetting WordPress database passwords, change WordPress salts, updating API keys stored in the wp-config.php file, and updating passwords and SSH keys. Customers who require additional support can Post support tickets through iThemes support.
Image credit: Justin Morgan