If You Use This Script, You’ve Probably Already Been Hacked
Hacking Made Easy
Several years ago, web publishing company Interconnect/IT released a handy tool for finding and replacing text in a website’s database. This tool, a stand-alone file published as searchreplacedb2.php, includes built-in WordPress compatibility that makes working with WordPress databases a breeze.
Unfortunately, it doesn’t include any authentication or security measures, which makes infecting WordPress databases equally easy.
During the last few weeks, our Security Services Team has noticed a spike in infections using this script. The hackers use their botnets to look for the script all over a target site. The following is a sample of log entries searching for this file.
We tracked scans from a set of known malicious IPs over the past two months and you can see the activity below:
If they find this file, they simply use it the same way a website owner would – except in this case, they exploit a website.
We have prepared screenshots of the script in action. It’s a very simple process using several pages. The first page prompts the user choose to automatically get the database login information from the WordPress configuration file. Note the warning about removing the script – we’ve omitted it from the rest of the screenshots, but that warning is actually present on every page.
In the second step, you confirm the preloaded database login credentials.
In the third step, you select the table(s) you want to work with. Hackers are selecting the posts table.
Finally, you enter the text you want to search for and the text with which you want to replace it.
This is what the hackers are doing:
Here is an example of a destination page:
The hackers actually don’t even have to walk through each of those steps – they can collapse it all into a single request. In an instant, an innocent site is completely hijacked.
Who Is Behind This?
Like most malware campaigns, this one involves computers around the world with no clear connection to each other. Many of them are probably infected with malware, unwittingly participating in the hackers’ botnet. However, we noticed that a few key servers are located in the Netherlands.
traffictrade[dot]life -> 184.108.40.206 (Host Sailor Ltd, NL)
trafficbroker[dot]club -> 220.127.116.11 (changed on June 20 from 18.104.22.168, which is registered to another Dutch company, HZ Hosting Ltd)
2clicks[dot]xyz -> 22.214.171.124 (Serverel Corp, NL)
Passive DNS data shows that the IP addresses associated with these domain names have not changed throughout this campaign. In other words, the hackers haven’t had to switch to a new server after their first one was shut down. They may have found a set of lenient Dutch hosting companies who turn a blind eye to their illicit activities.
Does Updating Help?
Searchreplacedb2.php is actually an old version of the script. But the present version, 3.1.0, is essentially the same tool and still does not include any security measures (besides a warning). So updating to the latest version doesn’t make it any safer.
This newer version isn’t a single file, but instead runs as a collection of scripts in a folder named Search-Replace-DB-master. We don’t have any records of hackers checking for the presence of this folder, but it is only a matter of time before they add it to their list of targets.
Test Your Site
To check if this file is present on your site, simply run a Wordfence scan. If you are not using WordPress, you can also run a Gravityscan – and make sure you install the Accelerator for the best available detection.
What to Do If You Are Vulnerable
If you have searchreplacedb2.php on your site but you don’t need it anymore, delete it immediately.
If you do need to use it on your site, then upload it with a different filename. Keep it uploaded only as long as you need it, and then immediately remove it.
A broader security principle applies here: run only as much software as you need. If you leave a script lying around, whether it’s a powerful tool like searchreplacedb2.php or a simple file with nothing but phpinfo() in it, you are offering some portion of your site to hackers. If you keep plugins and themes around even though you don’t use them, you are maintaining a risk that is completely unnecessary.
What to Do If You Have Been Hacked
If you have searchreplacedb2.php unsecured on your WordPress site, then the odds are high that you have probably been hacked. If you have it and your users are being redirected away, then you have definitely been hacked. Head to our site cleaning page and let the experts on our Security Services Team handle it for you.
Lesson For Developers
Developers, take heed: it doesn’t matter if you put a security warning on every page of your product. It doesn’t matter how bold the font is or how dire the wording is, or how easy it is for the user to delete the vulnerable script when they are done with it. Users will still forget or just ignore the warnings, and when that happens, bad guys profit. Make your code secure by default.
This blog post was written by Brad Haas, a senior security analyst at Wordfence and team lead for our Security Services Team. Brad has years of experience both in incident response and in securing sensitive government networks.