Hacking Made Easy
Several years ago, web publishing company Interconnect/IT released a handy tool for finding and replacing text in a website’s database. This tool, a stand-alone file published as searchreplacedb2.php, includes built-in WordPress compatibility that makes working with WordPress databases a breeze.
Unfortunately, it doesn’t include any authentication or security measures, which makes infecting WordPress databases equally easy.
During the last few weeks, our Security Services Team has noticed a spike in infections using this script. The hackers use their botnets to look for the script all over a target site. The following is a sample of log entries searching for this file.
We tracked scans from a set of known malicious IPs over the past two months, and you can see the activity (in the image to the right)
If they find this file, they use it the same way a website owner would – except in this case, they exploit a website.
We have prepared screenshots of the script in action. It’s a straightforward process using several pages. The first page prompts the user to choose to automatically get the database login information from the WordPress configuration file. Note the warning about removing the script – we’ve omitted it from the rest of the screenshots, but that warning is present on every page.