Solved Instance hacked, inserting 100s of posts
-
I have cloned backups of the site to do some digging on in case anyone is interested how this could happen.
Seemingly a path was found to inject posts directly into the database.
Bad plugin?
What do you think @Lonk ?
-
@robi Could well be - also could be something underlying in their sanitizing. I've had a few instances getting absolutely hammered from Germany on contact forms, mostly getting blocked by recaptcha but ended up being more of a DOS for the resources they threw at it. Could be the same thing, might not be, but I've cut them off early and low in the stack, so logging/etc. is pretty minimal at this point since the firewall is dropping them. FWIW, the contact forms are Caldera - not sure if that's in common or not, but that's a pretty broad attack surface to start from if so.
-
doesn't appear to be from contact forms.
looking at SimpleHistory plugin logs, someone managed to create an account called
wordcamp
and shortly after managed to start posting articles asadmin
without ever logging in. -
Could it be the admin password got leaked somehow or if you have used it in other sites? https://haveibeenpwned.com/ is a good place to check for this.
-
@girish admin account never logged in, so unlikely.
-
-
@robi said in Instance hacked, inserting 100s of posts:
admin account never logged in
Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.
-
@imc67 said in Instance hacked, inserting 100s of posts:
@robi said in Instance hacked, inserting 100s of posts:
admin account never logged in
Is it still then the default "changeme" password? Even if not logged in via GUI they mostly use the REST-API.
After unblocking the admin account and attempting to log in, that's exactly what happened. How embarrassing.
That tells me the flaw that happened in creating this site.
Thank you!
-
@robi So they use REST-API?
-
@p44 apparently so.