September plague on WordPress: lowerbeforwarden
Since the beginning of this month of September 2020, I have noticed an increase in attacks on WordPress, including a new redirection campaign using a specific domain: lowerbeforwarden.ml.
TL;DR — How to fix my site and avoid intrusions
It seems from what I’ve observed that the initial intrusion is automated, but once access is obtained some files seem to be manually modified by the intruders to keep a persistent access.
If your site has been attacked, it is essential to make a rigorous scan of its files (with the WordFence or WPCerber plugin for example) to ensure their integrity.
Beware in particular of the headers.php files of the themes in which I could find malicious code, if it is an option, reinstall the files of your plugins and themes in case of any doubt.
The main plugin (responsible for several millions of intrusions) targeted by this attack is WP File Manager on which a vulnerability has been discovered in the file /wp-file-manager/lib/php/connector.minimal.php.
Once your site is cleaned (or if it has not suffered any intrusion) you can block the robots trying to exploit this vulnerability by adding this file in exclusion list on the firewall of the security plugin used on your site (like this for WordFence for example) !
If you use the WP File Manager plugin, it is imperative to update it to version 6.9 which is supposed to fix the problem or at least to delete the exploitable file.
Another recommendation: in order to block the majority of robots that will scan your site, you can move your wp-login.php page (for example with this plugin) and add the wp-login.php file in your exclusion list on your firewall!
What do we know about the attack?
The attacks started shortly after the discovery of the vulnerability in the WP File Manager plugin allowing to send files on the server without being authenticated.
Be careful though, the bot tries to use several vulnerabilities in addition to this one, you’ll have to keep your plugins and WordPress Core up to date!
The targets of these attacks are recognizable thanks to the domain used by the attackers: lowerbeforwarden.ml.
This domain was bought in India by a person whose information is available in the WHOIS database :
It is relatively rare that the domain name information used in such a large scale attack has not been anonymized: as you can see a name, address and telephone number can be found.
Beware however, it is possible that this domain has been compromised and used fraudulently, the owner of this domain may not be linked to the intrusions for which it is used!
The domain apexscore.com redirects to a cPanel on which no site is installed.
There are several sub-domains linked to lowerbeforwarden.com that are (for those I met) used to host code containing redirects :
www.lowerbeforwarden.ml
develop.lowerbeforwarden.ml
emp.lowerbeforwarden.ml
location.lowerbeforwarden.ml
www.location.lowerbeforwarden.ml
mltemp.lowerbeforwarden.ml
scripts.lowerbeforwarden.ml
www.scripts.lowerbeforwarden.ml
source.lowerbeforwarden.ml
www.source.lowerbeforwarden.ml
surce.lowerbeforwarden.ml
temp.lowerbeforwarden.ml
www.temp.lowerbeforwarden.ml
The scripts injected on the WordPress being operated redirect to a spam campaign on trendopportunityfollow.ga and vildq.com, followed by looping redirects on ads, it is likely that (as in many other CMS attack campaigns) the goal is to generate revenue from visits to these ad pages.
Warning: on many exploited sites, the scripts have been badly injected in the pages (because of the encoding of the characters < > or other) and contain the scripts in text format. You can find them on google by searching “temp.lowerbeforwarden.ml/temp.js”.
You can help!
You can help stop this attack by contacting INWX (the domain name registrar) and notifying them of the use of the domain name at https://www.inwx.com/en/aboutus/abuse. If the domain is inactive, a large number of sites will no longer be able to load the scripts containing the malicious redirections!
Recommendations and support
Given the increase in these attacks, I recommend extreme vigilance regarding the version of plugins you use and the configuration of your WordPress sites.
Also think about rotating all the site administrators’ passwords and activate the 2FA if you have any doubt about an intrusion.
If you need support following an intrusion, you can contact me on fenrir.pro.
—
