Site in rudimentary mode

Recently my site was successfully attacked so it redirected incoming users to some external, potentially malicious site. 🙁
Until I figure out the point of entry I disabled some outdated plugins, which means some things might not look as nice as before or don’t work at all. The WP content is of course still available.

I will post updates here for anything I find out about the attack. It appears to be some kind of SQL injection. In most, if not all posts a <script> tag was injected, which redirects to ns1.bullgoesdown.com. It shows a fake “Human user verification” site, sometimes even with a reCaptcha logo.

Updates

2019-09-22 – 13:14

It appears the xmlrpc.php file was used for the attack. The access log revealed a lot of POST requests on this file and I don’t use the RPC interface. There’s also a lot of activity on the wp-login.php, but this is probably just a brute force password guessing.
I still don’t know which plugin, if any, was used for the attack, though.

For now I completely disabled the xmlrpc interface.

2019-10-06

After a while of testing multiple plugin configurations and waiting if the site get’s hacked again things are pointing towards the Contact Form 7 plugin being abused (not sure though). There were a few GET requests in the server logs which tried to inject some code but they didn’t match the affected SQL entries. So I guess they were just regular scans/attempts etc. The only URL getting a lot of POST traffic was the contact form, hence it seems plausible at this moment. We’ll see…

Credits

Emoji from https://emojipedia.org/emojipedia/.

Leave a Reply