FormCraft v1.4.6 under attack

  • October 1, 2015
Labs Note

As we clean many sites infected by the VisitorTracker malware, we see vulnerabilities in multiple plugins being exploited by attackers.

For example, my colleagues John Castro and Marc-Alexandre Montpas analyzed many sites where hackers exploited quite an old version 1.4.6 of the FormCraft premium plugin (current version is 3.2.4). FormCraft 1.4.6 contains a file upload script that is not protected in any way. Which makes it really easy for an attacker to upload backdoors on vulnerable sites.

And here are logs entries that show how this vulnerability is being exploited in the wild:

92.63.87.87 - - [24/Sep/2015:04:56:20 -0400] "POST /wp-content/plugins/formcraft/file-upload/server/php/index.php HTTP/1.1" 200 180 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
92.63.87.87 - - [24/Sep/2015:04:56:21 -0400] "POST /wp-content/plugins/formcraft/file-upload/server/php/index.php HTTP/1.1" 200 198 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
92.63.87.61 - - [25/Sep/2015:10:43:50 -0400] "POST /wp-content/plugins/formcraft/file-upload/server/php/index.php HTTP/1.1" 200 184 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"

Remember, both free and premium plugins and themes should always be up to date. If you can’t update some software, you should remove it from your server. Alternatively, consider virtual patching provided by Website Firewalls

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like