Hacking WordPress sites the easy way.

Over 4,000 sites hacked in less than 3 months!

(Updated in real time – 11,581 hacked sites and counting…)

For a couple of years now we’ve been running various versions of our in-house WordPress honeypot plugin and have been quietly sitting back and collecting some interesting data. One of the more fascinating things our honeypot collects is, rather than pages visited, it collects where visitors wish they could go. A lot of those places where visitors want to go are pretty much what you’d expect, the latest and greatest plugin or theme exploit. But one of the more intriguing places that these visitors are looking for are just plain old directories. Like these:

  • /v2
  • /v1
  • /wp2
  • /wp1
  • /bk
  • /2019
  • /2018
  • /temp
  • /assets
  • /web
  • /portal
  • /dev
  • /cms
  • /tmp
  • /home
  • /demo
  • /backup
  • /site
  • /main
  • /old
  • /new
  • /blog
  • /test
  • /wordpress
  • /wp

To add to this mystery, these directories and others with similar names, were usually being probed rapid fire from single IP addresses. So we got curious as to what might be in those directories that they were looking for. The logical thing it seemed to do was to create a few of these directories and then see what our honeypots recorded. What we found, was astounding.

These crafty folks were looking for the /wp-admin/setup-config.php file. Once they confirmed the directory existed, they’d then try to run the WordPress install script!

Wait, no. It can’t be that simple can it? Hacking into a WordPress site by running the install script?

Yes, it’s just that simple. And, it’s more effective than you’d likely imagine.

It would appear that webmasters all over the planet leave uninstalled copies of WordPress all over the place. These would-be hackers use simple human psychology in order to find them. How many times have you created a /temp directory or a /backup directory or perhaps a /test directory? If you have, you’re not the only one. We’ve done it too. But the big question is, how many people really upload raw copies of WordPress to these folders?

Apparently, lots. And here’s how we found out.

We decided to give these visitors exactly what the wanted, a copy of WordPress just begging to be installed. But, with oh… a few modifications. We’d allow them to get to the point to where they entered their database server, login and password and then we’d politely present them with notice that the install had failed. And, since the install was already writing to the wp-config.php, we just saved all their login info to a renamed config file (we added the time and date to the file name so we’d know when it happened). And, since it might take a few days of fishing, we had the install script send us an email letting us know we had caught a fish.

In less than 3 months there have been 45 successful ‘attacks’ on our honeypots (we’re running 3 of them on some pretty obscure sites). And, we’ve recorded over 4,000 unique URL’s that their databases were managing.

One of the first of these hackers to stumble into our trap is known as Mr. Green. If you’d like to see how prolific he is, just do a Google search for “Hacked by Mr. Green”. That’s his calling card. Spoiler: About 97,500 results. And, if you click on some of those search results, you’ll see that his big thing is simply tagging WordPress installs with his name. He works by setting up a MySQL database on one of those sites that offers them for free (most of his were in France). He then scans websites looking for uninstalled copies of WordPress and helps himself. I’m not sure we’d call him a hacker exactly. If anything this is more script kiddie territory since it doesn’t take any actual hacking. But, names aside, when he fell into our honeypot, his ‘free’ MySQL database was managing over 400 WordPress installs.

Over the next couple of weeks he stumbled into a couple more of our honeypots and each time, he kindly left us his MySQL login info. But, now, he was using a different MySQL host.

And, he wasn’t the only one. Another script kiddie, who always uses the database user name of tanvir, started paying us visits. He was using the same technique, looking for install scripts, and was managing dozens to hundreds of websites. And, like Mr. Green, he tagged his sites with the name Black Shadow. There were a few more random ones that popped in on occasion but these two were the dedicated ones.

A site hacked by tanvir.

So with all of this data flowing in, our curiosity once again, got the best of us. Just how many websites were these guys really snagging? So, we played with our toys again. Starting back in the middle of July 2020, our little honeypots started not only saving all the juicy goodness to a file, we wrote an API just for these guys. Each time they tried to run our install, our little script would contact their database, get a list of all of the URL’s their database was maintaining and, stuff it into our database. And, we even gave them notice since the connection to their database was from this very server.

In less than 3 months there have been 47 successful ‘attacks’ on our honeypots (we’re running 3 of them on some pretty obscure sites). And, we’ve recorded 4,088 unique URL’s that their databases were managing.

And, the attacks don’t stop there. Again, I’m not sure if I’d call them actual hackers or just opportunists who have some knowledge of psychology but the tactics being used are evolving. For example our plugin honeypot has been recording some new ideas hackers like them are exploring. Like these:

  • /old/Archive.zip
  • /old/site.zip
  • /old/wp-config.php.resetwp_bak
  • /old/wp-config
  • /old/1.txt
  • /old/wordpress.zip
  • /old/public_html.zip
  • /old/.well-known.zip
  • /old/wp-admin.zip
  • /old/mydomain.com.zip
  • /old/cgi-bin.zip

And these:

  • /files.zip
  • /file.zip
  • /scan.txt
  • /sql.zip
  • /ftp.zip

And finally, these:

  • /wp-config.php#
  • /wp-configfix
  • /wp-configphp
  • /wp-config_php
  • /wp-config.php2020
  • /wp-config_old_old
  • /wp-config-old-old
  • /wp-config1

And before you think that only an inexperienced webmaster would leave an uninstalled copy of WordPress lying around their server, think again. We’ve seen a major, world-wide beer manufacturer have their site compromised by this type attack because they used a /dev folder on their main site to do testing. We’ve even seen websites for banks that these guys have managed to get into! And the fact that they keep coming back to our honeypots every few days tells us that they’ve learned that just because a site doesn’t have an install script today doesn’t mean it won’t tomorrow.

We humans are creatures of habit. You can also call us either lazy or adept at physics because we typically take the path of least resistance to accomplish a task. And if we complete a task once, we tend to do it the same exact way the next time. Whether it’s us doing it ourselves or the human programmer who wrote the software we’re using we tend to keep naming files and directories the same thing over and over again.

Hackers are starting to tap into that psychology. Because we’re all human, eliminating unintentional exploits from plugins and themes is going to be a daunting if not impossible task. But just as dangerous, are the unintentional exploits we create ourselves.

Blog safe!

Leave Comment

Your email address will not be published. Required fields are marked *