totall not pwnd bro....:O
-
bad_brain
- Site Owner
- Posts: 11632
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
totall not pwnd bro....:O
client site on AWS Lightsail, standard Wordpress install. curious if the server instance was rooted...
Re: totall not pwnd bro....:O
As the kids would say these days. "big ooof bro!" 
.
Guess you've got some cleanup to do?
.Guess you've got some cleanup to do?
"The best place to hide a tree, is in a forest"
-
bad_brain
- Site Owner
- Posts: 11632
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: totall not pwnd bro....:O
yep! got most of it done, until the site is live and traffic rolls in (right now I access it through HOSTS file) you never know if you found everything.
there were plenty of the usual base64 script crap disguised as .ico, luckily they all used the same unusual name pattern so I could easily find them all by running a search for .*.ico:
https://code.suck-o.com/?c67218b44679ef ... rFG95Bekvx
deleted everything else except for the uploads and replaced it with newly downloaded plugins. I'm sure there's still some crap left in the uploads, but those are hundreds of folders with thousands of images, so I rather let it go live and then check the logs for POST requests....basically I let potential attackers do my work...
Re: totall not pwnd bro....:O
Good job 
Do you know how it happened? Probably some wordpress plugin that had a backdoor or was unpatched?
Do you know how it happened? Probably some wordpress plugin that had a backdoor or was unpatched?
-
bad_brain
- Site Owner
- Posts: 11632
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: totall not pwnd bro....:O
hard to say what exactly caused it, the site ran that way for a long time already.....but yeah this might have played a role:
- image_uploads.file_upload.814e05fb32a2e1b4.YXJjLmpwZw==.jpg (20.79 KiB) Viewed 618 times
