Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Millions of Sites Targeted in File Manager Vulnerability Attacks

This entry was posted in Vulnerabilities, WordPress Security on September 4, 2020 by Ram Gall   13 Replies

The Wordfence Threat Intelligence team is seeing a dramatic increase in attacks targeting the recent 0-day in the WordPress File Manager plugin. This plugin is installed on over 700,000 WordPress websites, and we estimate that 37.4% or 261,800 websites are still running vulnerable versions of this plugin at the time of this publication.

Attacks are Exploiting File Upload Vulnerability

Attacks against this vulnerability have risen dramatically over the last few days. Wordfence has recorded attacks against over 1 million sites today, September 4, 2020, as of 9 AM Pacific Time. Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited. Although Wordfence protects well over 3 million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record.

A few new indicators of compromise have emerged, and one of the filenames we’re seeing most frequently is Feoidasf4e0_index.php

The following IP addresses have each attacked over 100,000 sites since September 3, 2020:

188.165.217.134
192.95.30.59
192.95.30.137
198.27.81.188
46.105.100.82
91.121.183.9
185.81.157.132
185.222.57.183
185.81.157.236
185.81.157.112
94.23.210.200

Recommendations

Update your plugin

If you find that your site’s functionality requires consistent usage of the File Manager plugin, ensure it is updated to version 6.9, which patched this vulnerability.

Uninstall File Manager

If you are not actively using the plugin, uninstall it completely. Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used.

Optimize your Wordfence firewall

To protect your site against vulnerabilities like these that run without loading WordPress, the firewall also needs to be able to run before WordPress is loaded.

Optimizing the Wordfence firewall ensures that it can protect you even against vulnerabilities and exploits that don’t require WordPress to run. There are numerous benefits to doing so, and it does require a few steps that our plugin will guide you through. This video walks through the process of firewall optimization. If you have been using Wordfence without the firewall optimized for some time, learning mode is unnecessary.

As a general rule, we recommend that you always have your firewall optimized. When zero day vulnerabilities like this are attacked, having an optimized firewall gives you a much better chance of preventing successful exploitation.

Please share these recommendations with anyone you know who may be using the File Manager plugin.

Special thanks to Threat Analyst Chloe Chamberland and Director of Marketing Kathy Zant for their contributions in writing, researching, and editing this post.

Did you enjoy this post? Share it!

13 Comments on "Millions of Sites Targeted in File Manager Vulnerability Attacks"

Mike September 4, 2020 at 11:20 am • Reply

Does this mean that versions below 6.0 are not affected, or could versions below 6.0 be affected but just not listed because they are such an old version of the plugin?

Ram Gall September 4, 2020 at 11:42 am • Reply

Hi Mike,

After looking into it a bit more, it looks like versions below 6.4 were not affected - Version 6.4 is where the vulnerability was introduced.

MediaSmack September 4, 2020 at 11:21 am • Reply

Yes, We already update all our plugin. We have around 700 website. Yes, It is true. Thanks for help us. Also those IP can block.

James H September 4, 2020 at 11:28 am • Reply

I've been fighting with this for the last 24 hours. I noticed it when I went to update wordpress it threw a critical error from a yoast file: wp-content/plugins/wordpress-seo/src/conditionals/breadcrumbs-enabled-conditional.php

I had several folders with changed files when I did a git status. There were changes in the plugins folder and in the root. At one point it added a file to my .git folder and was requesting to be included from root index.php. Some changes went up the directory into /var/www/.

James H September 4, 2020 at 11:31 am • Reply

Also you missed one IP: 108.167.189.31. They made a request for one of the files that was modified ###_index.php after it had already been deleted.

Ram Gall September 4, 2020 at 11:41 am • Reply

Hi James,

Thanks for letting us know about this! There's actually a huge number of IPs that are attacking this vulnerability, we just decided to list the worst offenders - IPs that had attacked more than 100,000 sites each.

Neven September 4, 2020 at 1:53 pm • Reply

Vis-a-Vis version of File Manager - we had version 6.5. and still got hit. According to our own investigation, even during activated Wordfence security (free version), the script was managed to be written in the beggining of every single index.php on the site. ATM working on the way how to batch clean all index.php content from this script

Ram Gall September 4, 2020 at 3:07 pm • Reply

Hi Neven,

An attack like this bypasses the normal loading of WordPress. If the Wordfence firewall is optimized it will protect against attacks of this type, which is why we emphasize optimizing the firewall. In cases where the firewall is not optimized, attacks that bypass the normal loading of WordPress might not get blocked.

Fred Collin September 6, 2020 at 7:09 pm • Reply

This attack on our websites was used to then send spam, which we didn't notice at first because we were too busy fixing the websites, they managed to send some 5600 emails over a few hours until we blocked them for good.

Sam September 12, 2020 at 4:25 pm • Reply

Hi Fred,

Any chance you can let us know how did you manage to block those spam email ?

Looks like they have been sending a lot of spam email which are Dropbox phishing to my clients.
If you can let us know how did you manage to block them that would very much appreciated.

Thanks in advance.

Sam

Danel October B. Beriong September 13, 2020 at 9:01 pm • Reply

Hi, just wondering, I managed to clean up the files, I believe I checked everything, but the modification to the root index.php just keeps happening again and again. How do I clean it up for good?

Also, how did you "block them for good"? Thank you!

Christian Gamero September 10, 2020 at 11:39 pm • Reply

Thanks for sharing this post, it seems like a lot of security gaps appear lately.

It will be necessary to keep informed!

Tori September 12, 2020 at 5:39 pm • Reply

Thanks for the article. We just recovered two of our websites.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates

Leave a Reply

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.