- Plesk Onyx for Linux
- WordPress Duplicator plugin with version < 1.2.42 is installed on the site
- Overall server performance is slow.
- There are suspicious processes running on the server (for example bash scripts via PHP):
# ps auxf
jdoe 15335 2.1 0.0 420936 25684 ? S 19:08 0:09 | \_ /opt/plesk/php/5.6/bin/php-cgi -c /var/www/vhosts/system/example.com/etc/php.ini
jdoe 25321 0.0 0.0 13684 1288 ? S 19:13 0:00 | | \_ sh -c find / -type f -name "*" | xargs grep -rl "<head"
jdoe 25322 0.4 0.0 18664 1220 ? S 19:13 0:00 | | \_ find / -type f -name *
jdoe 25323 0.0 0.0 6664 832 ? S 19:13 0:00 | | \_ xargs grep -rl <head
jdoe 27863 98.2 19.7 8399840 5662416 ? R 19:14 0:27 | | \_ grep -rl <head /proc/22334/mem /proc/22334/mounts /proc/22334/mountinfo /proc/22334/mountstats /proc/22334/clear_refs /proc/22334/smaps /proc/22334/page
- example.com from the process above is a WordPress site, and
wp-crawl.phpfile can be found in
# ls -lt /var/www/vhosts/example.com/httpdocs/
-rw-r--r-- 1 jdoe psacln 125 Sep 6 18:45 wp-crawl.php
Note: The script may contain various malicious code, one of the possible examples is mentioned here.
WordPress website was compromised using WordPress Duplicator plugin vulnerability: after the restoration of the site via mentioned plugin, the installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over.
In order to resolve the immediate issue, kill the suspicious processes. Overall it is required to update Duplicator plugin to version 1.2.42 or newer and remove malware files
installer-backup.php. For that:
- Log in to Plesk.
- Navigate to Domains > example.com > WordPress.
- Click on Plugins under affected instance, find Duplicator and update it.
- Navigate to Domains > example.com > File Manager and remove
- Then find and remove
installer-backup.phpfiles. They should be located in
- After that go to Tools & Settings > Services Management and restart Apache.
- In case Apache restart from the previous step is not an option, log into the server via SSH and kill all remaining suspicious processes.
Note: In order to update this plugin for all WordPress sites at once, navigate to Plesk > WordPress, click on Plugins, find Duplicator and update it.