Recently my site was successfully attacked so it redirected incoming users to some external, potentially malicious site. 🙁
Until I figure out the point of entry I disabled some outdated plugins, which means some things might not look as nice as before or don’t work at all. The WP content is of course still available.
I will post updates here for anything I find out about the attack. It appears to be some kind of SQL injection. In most, if not all posts a <script> tag was injected, which redirects to ns1.bullgoesdown.com. It shows a fake “Human user verification” site, sometimes even with a reCaptcha logo.
2019-09-22 – 13:14
It appears the xmlrpc.php file was used for the attack. The access log revealed a lot of POST requests on this file and I don’t use the RPC interface. There’s also a lot of activity on the wp-login.php, but this is probably just a brute force password guessing.
I still don’t know which plugin, if any, was used for the attack, though.
For now I completely disabled the xmlrpc interface.
After a while of testing multiple plugin configurations and waiting if the site get’s hacked again things are pointing towards the Contact Form 7 plugin being abused (not sure though). There were a few GET requests in the server logs which tried to inject some code but they didn’t match the affected SQL entries. So I guess they were just regular scans/attempts etc. The only URL getting a lot of POST traffic was the contact form, hence it seems plausible at this moment. We’ll see…
It took me a while to look into the log files. There have been numerous attack attempts but none matched the intrusion / SQL modification I observed. It appears that the SQL database was accessed directly to insert the malicious redirects. I set up a fresh one with now passwords and usernames and the attack has stopped since.
So, in summary, I cannot identify the actual source of intrusion. Possibly some old vulnerability allowed the attacker to retrieve the WordPress configuration file.
Emoji from https://emojipedia.org/emojipedia/.