Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Instance hacked, inserting 100s of posts

    WordPress (Managed)
    6
    10
    339
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • robi
      robi last edited by

      I have cloned backups of the site to do some digging on in case anyone is interested how this could happen.

      Seemingly a path was found to inject posts directly into the database.

      Bad plugin?

      What do you think @Lonk ?

      Life of Advanced Technology

      1 Reply Last reply Reply Quote 0
      • jimcavoli
        jimcavoli App Dev last edited by

        @robi Could well be - also could be something underlying in their sanitizing. I've had a few instances getting absolutely hammered from Germany on contact forms, mostly getting blocked by recaptcha but ended up being more of a DOS for the resources they threw at it. Could be the same thing, might not be, but I've cut them off early and low in the stack, so logging/etc. is pretty minimal at this point since the firewall is dropping them. FWIW, the contact forms are Caldera - not sure if that's in common or not, but that's a pretty broad attack surface to start from if so.

        1 Reply Last reply Reply Quote 0
        • robi
          robi last edited by

          doesn't appear to be from contact forms.

          looking at SimpleHistory plugin logs, someone managed to create an account called wordcamp and shortly after managed to start posting articles as admin without ever logging in.

          Life of Advanced Technology

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            Could it be the admin password got leaked somehow or if you have used it in other sites? https://haveibeenpwned.com/ is a good place to check for this.

            robi 1 Reply Last reply Reply Quote 0
            • robi
              robi @girish last edited by

              @girish admin account never logged in, so unlikely.

              Life of Advanced Technology

              imc67 1 Reply Last reply Reply Quote 0
              • marcusquinn
                marcusquinn last edited by

                Some tips here: https://forum.cloudron.io/topic/3779/linode-abuse-dos-attack-originating-from-my-server/10?_=1612060873400

                We're not here for a long time - but we are here for a good time :)
                Jersey/UK
                Work & Ecommerce Advice: https://brandlight.org
                Personal & Software Tips: https://marcusquinn.com

                1 Reply Last reply Reply Quote 0
                • imc67
                  imc67 translator @robi last edited by

                  @robi said in Instance hacked, inserting 100s of posts:

                  admin account never logged in

                  Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

                  robi 1 Reply Last reply Reply Quote 2
                  • robi
                    robi @imc67 last edited by

                    @imc67 said in Instance hacked, inserting 100s of posts:

                    @robi said in Instance hacked, inserting 100s of posts:

                    admin account never logged in

                    Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

                    After unblocking the admin account and attempting to log in, that's exactly what happened. How embarrassing. 😊

                    That tells me the flaw that happened in creating this site.

                    Thank you!

                    Life of Advanced Technology

                    P 1 Reply Last reply Reply Quote 3
                    • P
                      p44 translator @robi last edited by

                      @robi So they use REST-API?

                      robi 1 Reply Last reply Reply Quote 0
                      • robi
                        robi @p44 last edited by

                        @p44 apparently so.

                        Life of Advanced Technology

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Powered by NodeBB