New hack with file “temp-crawl.php”

  • niagarafish

    (@niagarafish)


    7 years, 6 months ago

    Notification of possibly new hack/malware:

    Today our site “rebooted” to showing the install page.

    In the wordpress root directory a new file appeared, “temp-crawl.php” with code:

    [ Please don’t post hacking code. Thanks.]

    This appears to take the contents of supplied URL parameter ‘q’, write them to a new file “tempcrawl”, execute that file, then delete the file.

    I deleted temp-crawl.php but don’t know where the vulnerability was.

    Currently there are zero google search results for “temp-crawl.php” so this might be something new(?)

    • This topic was modified 7 years, 6 months ago by t-p.
Viewing 14 replies - 1 through 14 (of 14 total)
  • Moderator t-p

    (@t-p)

    7 years, 6 months ago

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    dennishermannsen

    (@dennishermannsen)

    7 years, 6 months ago

    We have a around 10 customers that experience the same thing. All of them noticed within the last few hours.

    This one is ugly.

    quttera

    (@quttera)

    7 years, 6 months ago

    Try to investigate website access log to locate IP used to access temp-crawl.php.

    Investigation of all previous HTTP requests from this IP may point on initially exploited file or vulnerability allowed drop of this code.

    dennishermannsen

    (@dennishermannsen)

    7 years, 6 months ago

    It’s duplicator: https://db.threatpress.com/vulnerability/duplicator/wordpress-duplicator-plugin-1-2-40-arbitrary-code-execution-vulnerability

    te_taipo

    (@te_taipo)

    7 years, 6 months ago

    @quttera Can you list what 3rd party plugins you are using?

    jillctc11

    (@jillctc11)

    7 years, 6 months ago

    I just dealt with this… The wp-config file was renamed bad.wp-config, I renamed and accessed it. The database settings were changed and the DB name and password now ended in “FCK”, and the . There were a couple of files (wp-crawl.php and wp-crawl.php.1 and installer.log.txt and wp-snapshots) that appeared this morning at 8:52 am. Cleaned out the site, reset the users, changed the salt keys, etc…

    quttera

    (@quttera)

    7 years, 6 months ago

    @te_taipo here is the list of plugins we are using on our setups.

    These are not live websites and mostly used for exploits verification and tests/regression of our security plugin (quttera-web-malware-scanner).
    Not sure how this list will be useful… But here you go:

    ajax-search-lite
    akismet
    all-in-one-seo-pack
    bbpress
    buddypress
    contact-form-7
    duplicator
    google-analytics-dashboard-for-wp
    google-analytics-for-wordpress
    jetpack
    ml-slider
    quttera-web-malware-scanner
    regenerate-thumbnails
    simple-social-buttons
    theme-check
    updraftplus
    w3-total-cache
    woocommerce
    wp-crontrol
    wp-slimstat
    wp-super-cache
    yeloni-free-exit-popup

    te_taipo

    (@te_taipo)

    7 years, 6 months ago

    It appears that duplicator is the issue. Are all of these plugins the latest versions, in particular duplicator

    Thread Starter niagarafish

    (@niagarafish)

    7 years, 6 months ago

    Thanks @dennishermannsen for suggesting the vulnerability is in the Duplicator plugin.

    I got our site back online by just going through the WP setup wizard steps and using the credentials for the same (existing) database. Setup then said “..already installed..” and the site was public again. That’s only a temporary fix and I’ll do a full reinstall of WP without Duplicator plugin to clean it out.

    Pieter Daalder

    (@wizzard_)

    7 years, 6 months ago

    If you’re not actively using Duplicator, I’d recommend removing it and also removing all files created by it. If you need it in a later stage, you can always reinstall the plugin.

    te_taipo

    (@te_taipo)

    7 years, 6 months ago

    Having a poke around some of the installer code, I tend to agree, its not safe being left on a website.

    calvin_42

    (@calvin_42)

    7 years, 6 months ago

    FYI, same problem happened on my website.

    The php file uploaded in wp-content/uploads was using the script https://pastebin.com/raw/jmxnY3Rk that includes a JS script in all posts via a MySQL query.

    Moderator t-p

    (@t-p)

    7 years, 5 months ago

    @dirac3000,

    Please do not jump into other topics. If the troubleshooting already posted made no difference for you, then, as per the Forum Welcome, please post your own topic.

    Your post has been archived.

    dirac3000

    (@dirac3000)

    7 years, 5 months ago

    I had a similar problem with a friend website. I ended up writing a python script to clean most of the files polluted by the malware. I posted the script on github, in case someone needs it.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘New hack with file “temp-crawl.php”’ is closed to new replies.