Support » Plugin: Related Posts » Hosting company suspended account due to hack, looking for advice

  • marky1124

    (@marky1124)


    Hi,

    I’m new to the WordPress support community so apologies if I’ve raised this in the wrong area, or in some other way contravened any rules.

    I look after a small self hosted WordPress website. A few days ago our hosting company completely suspended the site and restricted all access to files so we were blind to investigate what happened. They gave me the following log entries to justify their actions. They offered to clean the site with per hour charges or 100% wipe it and reset. I chose the reset option. They deleted absolutely everything and I recovered from a recent backup.

    These are the log entries

    138.68.67.26 – – [11/Jul/2019:12:25:42 +0100] “POST /wp-admin/admin-ajax.php?action=wpr-upload-comment-image HTTP/1.1” 200 4 “holleydesigns.com” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36”
    138.68.67.26 – – [11/Jul/2019:12:25:43 +0100] “POST /wp-content/uploads/2019/07/php.php_.php7_.gif HTTP/1.1” 404 29167 “holleydesigns.com” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36”

    My goal now is to understand if we are still vulnerable. The hosting company assures me that the uploaded file contained an obfuscated PHP exploit that would have allowed remote command execution via an installed webshell.

    I’m looking at the log entries and can see that the URLs were /wp-admin and /wp-content. My understanding is that the /wp-admin URL would require authentication. Am I correct? In which case that would suggest the site password was compromised since the HTML return code was 200. The admin password was a gnarly long password that I find hard to believe was guessed. So I’m trying to understand this part since it suggests to me that password was compromised in some other way. Due to the hosting companies policies I have no logs to investigate further.

    The second URL is in /wp-content. Would that have required an authenticated user as well?

    At the time the site was running WordPress v5.2.1. I don’t see anything in v5.2.2 related to the admin-ajax.php script or the /wp-content/upload URL. I’ve changed the password, but I’m trying to understand whether the site is still vulnerable.

    I’d appreciate any advice from someone more knowledgeable than me.

    Thanks and all the best
    Cheers
    Mark

Viewing 2 replies - 1 through 2 (of 2 total)
  • smartyp

    (@smartyp)

    Did you have the Yuzo Related Posts plugin installed..? If not, then yes, you raised it in the wrong area 🙂

    This would be a better place:-
    https://wordpress.org/support/topic-tag/hacked/

    This might help too for general info:-

    FAQ My site was hacked

    P.S. One blog post referred to the wp-review plugin as being a possible source of this specific problem. And that did have a security fix applied on July 12.

    marky1124

    (@marky1124)

    @smartyp Thank you for your reply. I don’t have the Yuzo plugin installed and I am in the wrong area. Apologies. I went round and round before posting here trying to find a way to post in the hacked tagged forum but whenever I visit it there is no yellow section at the bottom from which I could create a new topic. Perhaps I’m doing something wrong, or its because I’ve only recently created this account? When I finally got that ability I failed to realise I was in this plugin sub forum. It had taken so long to find I didn’t want to risk losing it again 😉

    I also read through the FAQ page which had great advice on general approaches but I felt I had a question that wasn’t answered there.

    I’d appreciate it if my topic could either be moved or someone could help me understand how to ask my question in the right place.

    Cheers
    Mark

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Hosting company suspended account due to hack, looking for advice’ is closed to new replies.