Milloins of Sites Targeted in File Manager Attacks Feature Image

Millions of Sites Targeted in File Manager Vulnerability Attacks

The Wordfence Threat Intelligence team is seeing a dramatic increase in attacks targeting the recent 0-day in the WordPress File Manager plugin. This plugin is installed on over 700,000 WordPress websites, and we estimate that 37.4% or 261,800 websites are still running vulnerable versions of this plugin at the time of this publication.

Attacks are Exploiting File Upload Vulnerability

Attacks against this vulnerability have risen dramatically over the last few days. Wordfence has recorded attacks against over 1 million sites today, September 4, 2020, as of 9 AM Pacific Time. Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited. Although Wordfence protects well over 3 million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record.

A few new indicators of compromise have emerged, and one of the filenames we’re seeing most frequently is Feoidasf4e0_index.php

The following IP addresses have each attacked over 100,000 sites since September 3, 2020:

188.165.217.134
192.95.30.59
192.95.30.137
198.27.81.188
46.105.100.82
91.121.183.9
185.81.157.132
185.222.57.183
185.81.157.236
185.81.157.112
94.23.210.200

Recommendations

Update your plugin

If you find that your site’s functionality requires consistent usage of the File Manager plugin, ensure it is updated to version 6.9, which patched this vulnerability.

Uninstall File Manager

If you are not actively using the plugin, uninstall it completely. Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used.

Optimize your Wordfence firewall

To protect your site against vulnerabilities like these that run without loading WordPress, the firewall also needs to be able to run before WordPress is loaded.

Optimizing the Wordfence firewall ensures that it can protect you even against vulnerabilities and exploits that don’t require WordPress to run. There are numerous benefits to doing so, and it does require a few steps that our plugin will guide you through. This video walks through the process of firewall optimization. If you have been using Wordfence without the firewall optimized for some time, learning mode is unnecessary.

As a general rule, we recommend that you always have your firewall optimized. When zero day vulnerabilities like this are attacked, having an optimized firewall gives you a much better chance of preventing successful exploitation.

Please share these recommendations with anyone you know who may be using the File Manager plugin.

Special thanks to Threat Analyst Chloe Chamberland and Director of Marketing Kathy Zant for their contributions in writing, researching, and editing this post.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

15 Comments
  • Does this mean that versions below 6.0 are not affected, or could versions below 6.0 be affected but just not listed because they are such an old version of the plugin?

    • Hi Mike,

      After looking into it a bit more, it looks like versions below 6.4 were not affected - Version 6.4 is where the vulnerability was introduced.

  • Yes, We already update all our plugin. We have around 700 website. Yes, It is true. Thanks for help us. Also those IP can block.

  • I've been fighting with this for the last 24 hours. I noticed it when I went to update wordpress it threw a critical error from a yoast file: wp-content/plugins/wordpress-seo/src/conditionals/breadcrumbs-enabled-conditional.php

    I had several folders with changed files when I did a git status. There were changes in the plugins folder and in the root. At one point it added a file to my .git folder and was requesting to be included from root index.php. Some changes went up the directory into /var/www/.

    • Also you missed one IP: 108.167.189.31. They made a request for one of the files that was modified ###_index.php after it had already been deleted.

      • Hi James,

        Thanks for letting us know about this! There's actually a huge number of IPs that are attacking this vulnerability, we just decided to list the worst offenders - IPs that had attacked more than 100,000 sites each.

  • Vis-a-Vis version of File Manager - we had version 6.5. and still got hit. According to our own investigation, even during activated Wordfence security (free version), the script was managed to be written in the beggining of every single index.php on the site. ATM working on the way how to batch clean all index.php content from this script

    • Hi Neven,

      An attack like this bypasses the normal loading of WordPress. If the Wordfence firewall is optimized it will protect against attacks of this type, which is why we emphasize optimizing the firewall. In cases where the firewall is not optimized, attacks that bypass the normal loading of WordPress might not get blocked.

  • This attack on our websites was used to then send spam, which we didn't notice at first because we were too busy fixing the websites, they managed to send some 5600 emails over a few hours until we blocked them for good.

    • Hi Fred,

      Any chance you can let us know how did you manage to block those spam email ?

      Looks like they have been sending a lot of spam email which are Dropbox phishing to my clients.
      If you can let us know how did you manage to block them that would very much appreciated.

      Thanks in advance.

      Sam

    • Hi, just wondering, I managed to clean up the files, I believe I checked everything, but the modification to the root index.php just keeps happening again and again. How do I clean it up for good?

      Also, how did you "block them for good"? Thank you!

  • Thanks for sharing this post, it seems like a lot of security gaps appear lately.

    It will be necessary to keep informed!

  • Hi, I am facing an issue when I try to update...I receive the following text: Download failed. Not found...what should I do? Thanks

    • Hi Klod,

      It looks like some File Manager users were having issues updating their plugin - in these cases the best practice would have been to deactivate and delete the plugin, and install a new copy of the plugin from scratch if and only if the plugin was absolutely necessary.

  • Thanks for the article. We just recovered two of our websites.