Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. WordPress (Managed)
  3. Instance hacked, inserting 100s of posts

Instance hacked, inserting 100s of posts

Scheduled Pinned Locked Moved Solved WordPress (Managed)
10 Posts 6 Posters 1.9k Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #1

    I have cloned backups of the site to do some digging on in case anyone is interested how this could happen.

    Seemingly a path was found to inject posts directly into the database.

    Bad plugin?

    What do you think @Lonk ?

    Conscious tech

    1 Reply Last reply
    0
    • jimcavoliJ Offline
      jimcavoliJ Offline
      jimcavoli
      App Dev
      wrote on last edited by
      #2

      @robi Could well be - also could be something underlying in their sanitizing. I've had a few instances getting absolutely hammered from Germany on contact forms, mostly getting blocked by recaptcha but ended up being more of a DOS for the resources they threw at it. Could be the same thing, might not be, but I've cut them off early and low in the stack, so logging/etc. is pretty minimal at this point since the firewall is dropping them. FWIW, the contact forms are Caldera - not sure if that's in common or not, but that's a pretty broad attack surface to start from if so.

      1 Reply Last reply
      0
      • robiR Offline
        robiR Offline
        robi
        wrote on last edited by
        #3

        doesn't appear to be from contact forms.

        looking at SimpleHistory plugin logs, someone managed to create an account called wordcamp and shortly after managed to start posting articles as admin without ever logging in.

        Conscious tech

        1 Reply Last reply
        0
        • girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #4

          Could it be the admin password got leaked somehow or if you have used it in other sites? https://haveibeenpwned.com/ is a good place to check for this.

          robiR 1 Reply Last reply
          0
          • girishG girish

            Could it be the admin password got leaked somehow or if you have used it in other sites? https://haveibeenpwned.com/ is a good place to check for this.

            robiR Offline
            robiR Offline
            robi
            wrote on last edited by
            #5

            @girish admin account never logged in, so unlikely.

            Conscious tech

            imc67I 1 Reply Last reply
            0
            • marcusquinnM Online
              marcusquinnM Online
              marcusquinn
              wrote on last edited by
              #6

              Some tips here: https://forum.cloudron.io/topic/3779/linode-abuse-dos-attack-originating-from-my-server/10?_=1612060873400

              Web Design https://www.evergreen.je
              Development https://brandlight.org
              Life https://marcusquinn.com

              1 Reply Last reply
              0
              • robiR robi

                @girish admin account never logged in, so unlikely.

                imc67I Offline
                imc67I Offline
                imc67
                translator
                wrote on last edited by
                #7

                @robi said in Instance hacked, inserting 100s of posts:

                admin account never logged in

                Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

                robiR 1 Reply Last reply
                2
                • imc67I imc67

                  @robi said in Instance hacked, inserting 100s of posts:

                  admin account never logged in

                  Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

                  robiR Offline
                  robiR Offline
                  robi
                  wrote on last edited by
                  #8

                  @imc67 said in Instance hacked, inserting 100s of posts:

                  @robi said in Instance hacked, inserting 100s of posts:

                  admin account never logged in

                  Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

                  After unblocking the admin account and attempting to log in, that's exactly what happened. How embarrassing. 😊

                  That tells me the flaw that happened in creating this site.

                  Thank you!

                  Conscious tech

                  P 1 Reply Last reply
                  3
                  • robiR robi

                    @imc67 said in Instance hacked, inserting 100s of posts:

                    @robi said in Instance hacked, inserting 100s of posts:

                    admin account never logged in

                    Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

                    After unblocking the admin account and attempting to log in, that's exactly what happened. How embarrassing. 😊

                    That tells me the flaw that happened in creating this site.

                    Thank you!

                    P Offline
                    P Offline
                    p44
                    translator
                    wrote on last edited by
                    #9

                    @robi So they use REST-API?

                    robiR 1 Reply Last reply
                    0
                    • P p44

                      @robi So they use REST-API?

                      robiR Offline
                      robiR Offline
                      robi
                      wrote on last edited by
                      #10

                      @p44 apparently so.

                      Conscious tech

                      1 Reply Last reply
                      1
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                      • Login

                      • Don't have an account? Register

                      • Login or register to search.
                      • First post
                        Last post
                      0
                      • Categories
                      • Recent
                      • Tags
                      • Popular
                      • Bookmarks
                      • Search