Monday, November 23, 2015

Hacked WordPress Sites To Gain Control Over Entire VPS

"RevSlider" Plugin Vulnerability Used to Access VPS File System


Background

The issue has been discovered during malware clean-up of WordPress installation on private VPS. Additionally, the server hosted around 20 more WP installations. The auto cure procedure came back showing infection left-overs and we switched to manual investigation. This short post is to show how simple and genius some hacks could be. 

Malware investigation 

First checks showed that the VPS was infected via outdated RevSlider installation (3.0.95). Hackers were able upload any arbitrary files to the host. Searching further we found some strange directory (wp-content/plugins/revslider/temp/update_extract/sym). After investigation of this directory we found taht it contained softlink to "/" (VPS root directory). As simple as that. Needless to say, that it provided attackers an access to entire file system on this VPS and hackers actually had access to any file/directory on this VPS and utilized it to infect all other WP installations.

Removing this directory and updating the vulnerable plugin solved the issue.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.