Last week we told you that we found a dangerous vulnerability that allows you to upload malicious files to vulnerable sites. At the same time, the File Manager plugin is used by more than 700,000 resources, and although the vulnerability has already been fixed, a few days ago more than half of the sites were still considered vulnerable.
Attacks on this vulnerability began almost immediately: attackers uploaded web shells to websites that allowed them to take control of the resource and use it for their own purposes. The researchers wrote that attackers are trying to embed various files on websites. In some cases, these files were empty (obviously, the hackers were only testing the vulnerability), other malicious files were named hardfork.php, hardfind.php and x.php, and after September 3, 2020 Feoidasf4e0_index.php appeared.
Now the Defiant experts behind the development of Wordfence are warned that the number of attacks on this vulnerability has increased dramatically over the past few days. So, just last Friday, September 4, 2020, experts recorded attacks on more than a million sites. In total, more than 1.7 million resources have been attacked over the past week, and their number only continues to grow.
According to experts, since September 3, 2020, each of the following IP addresses has attacked at least 100,000 sites:
• 192.95.30[.]137; • 198.27.81[.]188;
• 46.105.100[. ]82;
The company emphasizes that Wordfence protects more than three million sites, but this is only part of the WordPress ecosystem, that is, the real scale these attacks should be even more, because WordPress is installed on dozens and or even hundreds of millions of sites.
Specialists strongly recommends all File users Manager update plugin to version 6.9 as soon as possible.