Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Instance hacked, inserting 100s of posts

Scheduled Pinned Locked Moved Solved WordPress (Managed)
10 Posts 6 Posters 378 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #1

    I have cloned backups of the site to do some digging on in case anyone is interested how this could happen.

    Seemingly a path was found to inject posts directly into the database.

    Bad plugin?

    What do you think @Lonk ?

    Life of sky tech

    1 Reply Last reply
    0
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    wrote on last edited by
    #2

    @robi Could well be - also could be something underlying in their sanitizing. I've had a few instances getting absolutely hammered from Germany on contact forms, mostly getting blocked by recaptcha but ended up being more of a DOS for the resources they threw at it. Could be the same thing, might not be, but I've cut them off early and low in the stack, so logging/etc. is pretty minimal at this point since the firewall is dropping them. FWIW, the contact forms are Caldera - not sure if that's in common or not, but that's a pretty broad attack surface to start from if so.

    1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #3

    doesn't appear to be from contact forms.

    looking at SimpleHistory plugin logs, someone managed to create an account called wordcamp and shortly after managed to start posting articles as admin without ever logging in.

    Life of sky tech

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #4

    Could it be the admin password got leaked somehow or if you have used it in other sites? https://haveibeenpwned.com/ is a good place to check for this.

    robiR 1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    replied to girish on last edited by
    #5

    @girish admin account never logged in, so unlikely.

    Life of sky tech

    imc67I 1 Reply Last reply
    0
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    wrote on last edited by
    #6

    Some tips here: https://forum.cloudron.io/topic/3779/linode-abuse-dos-attack-originating-from-my-server/10?_=1612060873400

    We're not here for a long time - but we are here for a good time :)
    Jersey/UK
    Work & Ecommerce Advice: https://brandlight.org
    Personal & Software Tips: https://marcusquinn.com

    1 Reply Last reply
    0
  • imc67I Offline
    imc67I Offline
    imc67 translator
    replied to robi on last edited by
    #7

    @robi said in Instance hacked, inserting 100s of posts:

    admin account never logged in

    Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

    robiR 1 Reply Last reply
    2
  • robiR Offline
    robiR Offline
    robi
    replied to imc67 on last edited by
    #8

    @imc67 said in Instance hacked, inserting 100s of posts:

    @robi said in Instance hacked, inserting 100s of posts:

    admin account never logged in

    Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.

    After unblocking the admin account and attempting to log in, that's exactly what happened. How embarrassing. 😊

    That tells me the flaw that happened in creating this site.

    Thank you!

    Life of sky tech

    P 1 Reply Last reply
    3
  • P Offline
    P Offline
    p44 translator
    replied to robi on last edited by
    #9

    @robi So they use REST-API?

    robiR 1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    replied to p44 on last edited by
    #10

    @p44 apparently so.

    Life of sky tech

    1 Reply Last reply
    1

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.