SOLVED Instance hacked, inserting 100s of posts
-
I have cloned backups of the site to do some digging on in case anyone is interested how this could happen.
Seemingly a path was found to inject posts directly into the database.
Bad plugin?
What do you think @Lonk ?
-
@robi Could well be - also could be something underlying in their sanitizing. I've had a few instances getting absolutely hammered from Germany on contact forms, mostly getting blocked by recaptcha but ended up being more of a DOS for the resources they threw at it. Could be the same thing, might not be, but I've cut them off early and low in the stack, so logging/etc. is pretty minimal at this point since the firewall is dropping them. FWIW, the contact forms are Caldera - not sure if that's in common or not, but that's a pretty broad attack surface to start from if so.
-
doesn't appear to be from contact forms.
looking at SimpleHistory plugin logs, someone managed to create an account called
wordcampand shortly after managed to start posting articles asadminwithout ever logging in. -
Could it be the admin password got leaked somehow or if you have used it in other sites? https://haveibeenpwned.com/ is a good place to check for this.
-
@girish admin account never logged in, so unlikely.
Life of Gratitude.
Large NVMe SSD Nodes -
-
@robi said in Instance hacked, inserting 100s of posts:
admin account never logged in
Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.
-
@imc67 said in Instance hacked, inserting 100s of posts:
@robi said in Instance hacked, inserting 100s of posts:
admin account never logged in
Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.
After unblocking the admin account and attempting to log in, that's exactly what happened. How embarrassing.
That tells me the flaw that happened in creating this site.
Thank you!
-
@robi So they use REST-API?
-
@p44 apparently so.
