With many Internet services, you first start a basic system with standard settings, which you then configure and set up before going live. However, strangers are increasingly attacking this raw version with insecure default settings. It often only takes a few minutes and the attackers have smuggled in a back door. Because they use a trick that tells them where to get what, reports security researcher Vladimir Smitka.
WordPress is a prominent example of this: You load the basic installation onto the server and start the installer https://mysite.irgend.wo/wp-admin/setup-config.phpto set a new password right away. But it might be too late by then. Because typically you have just set up a new server and created a new certificate for it. This process is recorded in the publicly available log Certificate Transparency documented.
The certificate as a sneak
Various attackers monitor these CT changes and lie in wait when the owner installs something there. To do this, they wait for the typical WordPress installer URLs to appear. In Smitka’s self-experiments, it typically took 4 minutes for the first back doors to be on the system; an attacker needed less than 1 minute. The WordPress system set up as a cross-check without HTTPS, on the other hand, remained completely unaffected.
Smitka managed to observe at least one attacking group at work. Within a few days, more than 800 WordPress systems were hijacked, and he notified the owners directly. But it can be assumed that this problem is much larger and thousands of WordPress systems have been compromised in this way.
Prevent and check
To prevent this, one should ensure that the new system is not open to the public until the installation and setup is complete. This can be achieved with a suitable .htaccess file, which precedes a password query or as Smitka suggestsat least access to /wp-admin limited to one IP address.
Web hosters can protect their customers by restricting access to /wp-admin/setup-config.php?step=2 block without referrer. This takes advantage of the fact that the mass attacks that are currently taking place cross the installation process. However, it is easily bypassed with modified attacks.
The insidious thing is that the attackers leave the system fully functional; many admins don’t even realize that their system already has a back door. So anyone who has set up a WordPress or other server service in the way described is well advised to search their system very carefully for backdoors. Smitka suggests the security scanners from Wordfence or Sucuri. If you find what you are looking for, it is best to start over with a new, clean system – this time better secured.
(yeah)