Site icon CleanTalk's blog

Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

sdsdинфографика 5

sdsdинфографика 5

We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.

What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.

What Has Been Done to Find Out the Source of the Hack

The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.

The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).

Input data:

The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».

To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.

The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.

Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?

Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme

Furthermore,


How to prevent future hacks:

  1. constant monitoring of the website files for any new unknown files in the system,
  2. aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
  3. force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
define( 'FS_METHOD', 'ftpext' );

define( 'FTP_BASE', '/yoursitepath' );
Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)
Exit mobile version