totall not pwnd bro....:O

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
bad_brain
Site Owner
Site Owner
Posts: 11621
Joined: 06 Apr 2005, 16:00
17
Location: In your eye floaters.
Contact:

totall not pwnd bro....:O

Post by bad_brain »

client site on AWS Lightsail, standard Wordpress install. curious if the server instance was rooted...

Image
Image

User avatar
ayu
Staff
Staff
Posts: 8098
Joined: 27 Aug 2005, 16:00
16
Contact:

Re: totall not pwnd bro....:O

Post by ayu »

As the kids would say these days. "big ooof bro!" :lol:.

Guess you've got some cleanup to do?
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11621
Joined: 06 Apr 2005, 16:00
17
Location: In your eye floaters.
Contact:

Re: totall not pwnd bro....:O

Post by bad_brain »

ayu wrote:
13 Feb 2022, 07:02
Guess you've got some cleanup to do?
yep! got most of it done, until the site is live and traffic rolls in (right now I access it through HOSTS file) you never know if you found everything.
there were plenty of the usual base64 script crap disguised as .ico, luckily they all used the same unusual name pattern so I could easily find them all by running a search for .*.ico:
https://code.suck-o.com/?c67218b44679ef ... rFG95Bekvx

deleted everything else except for the uploads and replaced it with newly downloaded plugins. I'm sure there's still some crap left in the uploads, but those are hundreds of folders with thousands of images, so I rather let it go live and then check the logs for POST requests....basically I let potential attackers do my work... :lol:
Image

User avatar
ph0bYx
Staff Member
Staff Member
Posts: 2032
Joined: 22 Sep 2008, 16:00
13
Contact:

Re: totall not pwnd bro....:O

Post by ph0bYx »

Good job *thumb*
Do you know how it happened? Probably some wordpress plugin that had a backdoor or was unpatched?

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11621
Joined: 06 Apr 2005, 16:00
17
Location: In your eye floaters.
Contact:

Re: totall not pwnd bro....:O

Post by bad_brain »

ph0bYx wrote:
25 Feb 2022, 04:48
Good job *thumb*
Do you know how it happened? Probably some wordpress plugin that had a backdoor or was unpatched?
hard to say what exactly caused it, the site ran that way for a long time already.....but yeah this might have played a role:
image_uploads.file_upload.814e05fb32a2e1b4.YXJjLmpwZw==.jpg
image_uploads.file_upload.814e05fb32a2e1b4.YXJjLmpwZw==.jpg (20.79 KiB) Viewed 247 times
:-88
Image

Post Reply