A local file inclusion vulnerability in the WordPress Slider Revolution Plugin has been released:
Apparently this vulnerability has been discussed on some underground forums for a couple months but it wasn't until these more main stream websites published data that we saw attackers start scanning for vulnerable sites. Our web honeypots picked up increased scanning activity today. Here is an example full audit log dump of the HTTP request from our ModSecurity WAF:
In this attack example, the attacker is trying to access the WordPress config file in the hopes of obtaining sensitive data such as database credentials.Recommendations Update your WordPress Slider Revolution Plugin
Sucuri Security is seeing similar activity and it also reporting that the developer of this Plugin chose to silently patch this vulnerability. This did a disservice to the Plugin userbase to be aware of the problem and to prompt updating. A couple notes:
- Updating this plugin may need to be done manually if your WP manager does not provide an interface for it.
- Beware that "disabling' the Plugin may end up being superceded by the Theme and be re-enabled. You may need to remove it altogether if you can not update it.
WAFs can be used to help prevent exploitation until you can get your systems updated. Trustwave's WebDefend WAF would block this attack either through a generic "Directory Traversal Attack" signature or through an anomaly of the learned resource profile. For ModSecurity WAF, we have added a new signature to our commercial rules feed:
This June, we introduced a weeklong social campaign called #NoHacked. The goals for #NoHacked are to bring awareness to hacking attacks and offer tips on how to keep your sites safe from hackers.
We held the campaign in 11 languages on multiple channels including Google+, Twitter and Weibo. About 1 million people viewed our tips and hundreds of users used the hashtag #NoHacked to spread awareness and to share their own tips. Check them out below!
Posts we shared during the campaign:
Some of the many tips shared by users across the globe:
- Pablo Silvio Esquivel from Brazil recommends users not to use pirated software (source)
- Rens Blom from the Netherlands suggests using different passwords for your accounts, changing them regularly, and using an extra layer of security such as two-step authentication (source)
- Дмитрий Комягин from Russia says to regularly monitor traffic sources, search queries and landing pages, and to look out for spikes in traffic (source)
- 工務店コンサルタント from Japan advises everyone to choose a good hosting company that's knowledgeable in hacking issues and to set email forwarding in Webmaster Tools (source)
- Kamil Guzdek from Poland advocates changing the default table prefix in wp-config to a custom one when installing a new WordPress to lower the risk of the database from being hacked (source)
Hacking is still a surprisingly common issue around the world so we highly encourage all webmasters to follow these useful tips. Feel free to continue using the hashtag #NoHacked to share your own tips or experiences around hacking prevention and awareness. Thanks for supporting the #NoHacked campaign!
And in the unfortunate event that your site gets hacked, we’ll help you toward a speedy and thorough recovery:
Posted by your friendly #NoHacked helpers