According to iThemes researchers, Hackers are actively exploiting the vulnerability (CVE-2022-31474) across impacted systems using specific versions of the BackupBuddy plugin. The exploit allows attackers to view the contents of any WordPress-accessible file on the affected server. This includes those with sensitive information, including /etc/passwd, /wp-config.php, .my.cnf, and .accesshash. These files can provide unauthorized access to system user details, WordPress database settings, and even authentication permissions to the affected server as the root user. Administrators and other users can take steps to determine if their site was compromised. Authorized users can review an impacted server’s logs containing local-destination-id and /etc/passed or wp-config.php that return an HTTP 2xx response code, indicating a successful response was received.

WordPress security solution developer Wordfence identified millions of attempts to exploit the vulnerability dating back to August 26th. According to Wordfence security researchers, users and administrators should check server logs for references to the aforementioned local-destination-id folder and the local-download folder. The PSA went on to list the top IPs associated with the attempted attacks, which include:

195.178.120.89 with 1,960,065 attacks blocked 51.142.90.255 with 482,604 attacks blocked 51.142.185.212 with 366,770 attacks blocked 52.229.102.181 with 344,604 attacks blocked 20.10.168.93 with 341,309 attacks blocked 20.91.192.253 with 320,187 attacks blocked 23.100.57.101 with 303,844 attacks blocked 20.38.8.68 with 302,136 attacks blocked 20.229.10.195 with 277,545 attacks blocked 20.108.248.76 with 211,924 attacks blocked

Researchers at iTheme provide compromised BackupBuddy users with several steps designed to mitigate and prevent further unauthorized access. These steps include resetting WordPress database passwords, changing WordPress salts, updating API keys stored in the wp-config.php file, and updating SSH passwords and keys. Customers requiring additional support can submit support tickets via the iThemes Help Desk. Image credit: Justin Morgan