While we were vacationing in Chicago (which was awesome… more on that when I get the travel journal finished), I got an email from GoDaddy saying that my site had been compromised and was being used for a phishing scam. They attached a screenshot of the page, which was an exact replica of the Wells Fargo login screen. I personally don’t know why you’d go to queenofsubtle.com to log into your bank, but, hey, we know how the internet works. Regardless, that had to stop.
I couldn’t deal with the problem within the 2-hour timeframe, obviously, so they took the domain down as they should. When I got back, I logged into FTP and looked around. There was an entire Wells Fargo-related directory in the wp-includes folder of one of my WordPress installations, and a few other things that looked suspicious. I went through the entire directory (it seemed limited to my travel journal content) and cleared out anything with a timestamp from the weekend. Once the site was reinstated, I found it had a thankfully nonworking adult site ad in the sidebar, and all my widgets had been removed. Then I noticed the same ad injected onto another site, so it was obviously a larger issue that seemed limited to WordPress files.
I changed my FTP logins, MySQL database passwords, and WordPress logins to complicated passwords that I’m likely to forget myself. It was a huge pain in the ass, but I figured it was finished.
This morning, I got an alert that a file had changed on my site, and that there was another phishing site up. I checked the timestamp on that, and it occurred after I had changed all the passwords. This was in a directory outside any WordPress installation, which hadn’t been touched in years. I did some more looking, and found a couple password hacks and very suspicious obfuscated php files in a cache folder inside my travel journal. I did some googling, and found my answer.
I updated the exploitable file, then went about searching all my directories and deleting random things. They were seemingly unrelated, too, but I did find some scary shell script action going on, which I’m pretty sure is this. Then I installed Wordfence, and it found a few more compromised files.
So what I get from this is that there are bots scanning for outdated versions of the file I happened to install with a theme that hadn’t been updated in a while, and using that to launch all manner of attacks. As a programmer I have to say I’m pretty impressed, but GODDAMMIT, KNOCK IT OFF.
So yeah, I’m pretty sure we’re good now, but I’ll be keeping on eye on the traffic reports for any more weird behavior.