By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    CosmicStrand: a UEFI rootkit
    8 months ago
    Cloak and Dagger: A hole in Android
    7 months ago
    Mobile malware masked as porn apps
    8 months ago
    Latest News
    Safeguards against firmware signed with stolen MSI keys
    1 day ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    1 day ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
    6 days ago
    Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Surface Pro 4 teardown: Get a closer look at the components
    8 months ago
    How to reset Windows Update components on Windows 10
    8 months ago
    Windows 11 build 22610 with new changes in Dev and Beta Channels
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    What is two-factor authentication | Kaspersky official blog
    2 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    4 days ago
    NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
    4 days ago
    How Oxy uses hooks for maximum extensibility
    How Oxy uses hooks for maximum extensibility
    5 days ago
    The personal threat landscape: securing yourself smartly
    5 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How do you know if your accounts have been hacked?
    8 months ago
    How to protect yourself from piercing by IP address?
    8 months ago
    How to find out the IP address of your enemy in a couple of clicks
    8 months ago
    Latest News
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    2 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    2 days ago
    How to check USB4 devices specs from Settings on Windows 11
    2 days ago
    How to enable new header UI for File Explorer on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: Your Backups Might Be Your Greatest Weakness
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Wordpress Threats

Your Backups Might Be Your Greatest Weakness

Tom Grant
Last updated: 9 January
Tom Grant 6 months ago
Share
9 Min Read

Configuration Probing: Your Backups Might Be Your Greatest Weakness

Configuration files exist to make life easier for developers and website operators. In a world without configuration files, every instance of code that depended on a database connection could potentially require the connection details to be hard coded or manually entered. Other reusable data would be defined multiple times, causing code bloat and possible performance issues. Even just making changes to a website could be a tedious task of tracking down exactly where configuration details are kept, and updating all instances. Configuration files are a great resource for maintaining a website with ease, but they are also a common resource for malicious actors.

Contents
Configuration Probing: Your Backups Might Be Your Greatest WeaknessSensitive Data in WordPress Configuration FilesCommon Backup MistakesConfiguration Backup ProbingConclusion

Sensitive Data in WordPress Configuration Files

WordPress includes a core file named wp-config.php that defines the database credentials, secret keys, the database table prefix to use, and required file paths. Defining these in a configuration file is convenient, but if a malicious actor can get their hands on the wp-config.php file, then they have a lot of information that can lead to data theft and even a site takeover. In WordPress, the website content is stored within the database, including the user details for administrators and other roles. This file is protected by default in WordPress, but what happens when you need to change some minor details in the file, and you make a backup with a different name, but leave it in a web accessible directory?

Let’s take a look at the database details included in the wp-config.php file. What is defined here is the name of the database, the name of the database user as well as the associated password, the hostname for the location of the database, and the default character set and collation. If other protections are not in place on the database server, such as IP restriction, this information can give a malicious actor everything they need to access the database. With unrestricted database access, they can then insert new admin users which in turn provides them with unrestricted access to the website and all of its backend data.

Sensitive data in wp-config.php

Common Backup Mistakes

A common way of backing up the wp-config.php file is to make a copy of the file and add a new file extension like .txt, .bak, or .html to the end of the filename. This is a quick way to make a backup, and ensure it is readily available to be reactivated by changing the filename back to the original. The problem is that leaving these files in a web-accessible directory makes it relatively simple for malicious actors to find the sensitive data contained in the file.

Let’s say the file is updated to change the absolute path for the WordPress website, with the original backed up as wp-config.php.html. If you go to the backup file directly in a browser, you will get a white page. This seems harmless and safe, but it also gives the information that the file exists, just without any actual HTML code to display content on the screen. If instead the page is called using a cURL command from a terminal, the file contents will be displayed.

Backup file read in the command line

If the file is backed up as wp-config.php.bak the browser will download the file when it is loaded, and if the file is backed up as wp-config.php.txt then the content will display in the browser directly.

Backup file read in the browser

Configuration Backup Probing

There are multiple techniques used to probe for backups of configuration files. One simple technique is using what is known as Google dorks. This technique makes use of built-in search functionality in Google and other search engines. For instance, the search phrase inurl:wp-config.php intext:DB_PASSWORD will return results for files containing wp-config.php within the URL that also contain DB_PASSWORD in the body of the file that loads. Malicious actors will also often automate the process of finding backup configuration files with the use of scripts and prebuilt tools. Using some form of automation to find these files makes the process much more efficient.

Probing for backups of the wp-config.php file is a very common practice. It is so common, in fact, that the Wordfence firewall has tracked 70,408,576 attempts to locate these backups in the last 30 days alone.

wp-config.php backup probing logged in the last 30 days

In this data, we did identify four legitimate uptime scanners that were being used to find this file. The thing with these scanners is that they are not expensive, and two of them even have free versions available. Because there is no legitimate reason to scan for backups of the wp-config.php file, it appears that malicious actors have determined that the resources required to use these scanners are outweighed by the benefits of implementing a known legitimate solution for nefarious purposes. These scanners account for a little over 6.5 million attempts to locate the wp-config.php file backups.
The following are the top ten IP addresses we have blocked from probing for wp-config.php backups.

  • 3.69.53.252 with 3953193 attempts
  • 3.71.111.191 with 2165519 attempts
  • 52.59.9.15 with 1726745 attempts
  • 35.83.251.89 with 1707670 attempts
  • 3.96.219.221 with 1645568 attempts
  • 35.182.107.115 with 1553854 attempts
  • 34.240.248.60 with 1526032 attempts
  • 50.16.69.90 with 1065868 attempts
  • 3.99.130.127 with 952639 attempts
  • 35.91.211.91 with 789722 attempts

Probe attempts logged per IP address in the past 30 days

All of these are registered to Amazon, and are spread around the world, which is not uncommon. Threat actors will often use servers in any location that could be useful to them, especially if there is a location that is known for allowing (or at least turning a blind eye to) the type of activity they will be using the server for.

Conclusion

Looking at the data collected in the last 30 days, it becomes clear that scanning for configuration files such as wp-config.php is wide-spread among malicious actors. The database credentials alone can prove incredibly valuable to anyone whose intent is to take over a website. With more than 40% of current websites running WordPress, this makes finding wp-config.php files even more valuable as it only requires knowledge of a single content management system (CMS).

The Wordfence Scanner includes an option to “Scan for publicly accessible configuration, backup, or log files” which will alert you if any publicly accessible configuration, backup, or log files are present in your site’s directory. This setting is enabled on a standard scan and can be checked for custom scans as well. If you received results indicating that you have a publicly accessible sensitive file, we strongly recommend removing it from the publicly accessible directory immediately.

If you believe your site has been compromised as a result of a configuration probing attack or some other exploit, we offer incident response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.


Source: wordfence.com

Translate this article

TAGGED: Social engineering, Threat, Threats, WordPress, Worpdress
Tom Grant January 9, 2023 November 30, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Safeguards against firmware signed with stolen MSI keys
Threats 1 day ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats 1 day ago
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
News 2 days ago
How to enable Taskbar End Task option to close apps on Windows 11
News 2 days ago
How to check USB4 devices specs from Settings on Windows 11
News 2 days ago

Recent Posts

  • Safeguards against firmware signed with stolen MSI keys
  • WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
  • How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
  • How to enable Taskbar End Task option to close apps on Windows 11
  • How to check USB4 devices specs from Settings on Windows 11

You Might Also Like

Threats

Safeguards against firmware signed with stolen MSI keys

1 day ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats

WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin

1 day ago
How To

The personal threat landscape: securing yourself smartly

5 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
Wordpress Threats

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)

6 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

What is two-factor authentication | Kaspersky official blog
Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
How Oxy uses hooks for maximum extensibility
The personal threat landscape: securing yourself smartly
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
Previous Next
Hot News
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?