Wordpress site hacked, but nothing in logs
This isn't a Support request as I've already dealt with it, but I wonder if anyone with experience could shed some light on this.
I'm running a workshop for uni students creating WP sites, and they were asked to not install plugins or themes willy-nilly. One group did. I believe it was WP File Upload. I checked one evening before class and it was fine. By the next morning the site was replaced with a flaming skull carousel saying the site was hacked. Great moment for a life lesson! So I restored to a previous backup and we were up and running in under 5 minutes. Awesome! Second great life lesson. Thanks Cloudron!
However, when I got home to check the logs, I couldn't see anything within the 12 hours. And when I checked the Cloudron File Manager for the WP dev app, I could see that in fact some pesky files were in the /app/data/public folder 4 days ago (they contained obfuscated code and mysql commands, so I think removing files only wouldn't have helped - the site had to be nuked from orbit). So I restored to a backup from before that. Seems fine now, and I've removed that plugin.
But, the logs don't show me activity leading up to this. Do the logs just show Cloudron activity* and not "any and all" activity? Should I be looking somewhere else for pertinent logs?
- Like this:
Apr 02 09:01:01 238:C 02 Apr 2022 07:01:01.103 * RDB: 1 MB of memory used by copy-on-write Apr 02 09:01:01 15:M 02 Apr 2022 07:01:01.105 * Background saving terminated with success Apr 02 09:06:02 15:M 02 Apr 2022 07:06:02.007 * 10 changes in 300 seconds. Saving... Apr 02 09:06:02 15:M 02 Apr 2022 07:06:02.009 * Background saving started by pid 239 Apr 02 09:06:02 239:C 02 Apr 2022 07:06:02.241 * DB saved on disk
There are useful 'audit' plugins for this in WP which record all activity.
You may want to pre-set a template WP instance with all the configs and plugins you need, which you can then clone for students as needed.
Also serves as a fresh source in case the backups are weekly or more.
This also sounds like it was 'hand hacked' manually vs by a script since they found the writable data/ dir.
Could be useful to save a zip of the files you found or that backup snapshot for devs to look at.
@robi Thanks for the suggestions.
It has made me all the more thankful for Cloudron, and how it's made Docker more accessible. I've previously used LAMP for my Wordpress, and only, thankfully, once before had a site hacked. Of course, that led to the whole LAMP setup being compromised. I did have backups then too, which helped, but man, seeing that hack spread through my LAMP was disheartening. I had tried to use Docker, and portainer, and such, but conceptually I just could never get more than 2 apps up and running and connected. I came across Cloudron... and voila, it all works, and the WP sites are all self-contained so that if one is hacked, the whole thing doesn't come crashing to a halt.