While we were vacationing in Chicago (which was awesome… more on that when I get the travel journal finished), I got an email from GoDaddy saying that my site had been compromised and was being used for a phishing scam. They attached a screenshot of the page, which was an exact replica of the Wells Fargo login screen. I personally don’t know why you’d go to queenofsubtle.com to log into your bank, but, hey, we know how the internet works. Regardless, that had to stop.<\/p>\n
I couldn’t deal with the problem within the 2-hour timeframe, obviously, so they took the domain down as they should. When I got back, I logged into FTP and looked around. There was an entire Wells Fargo-related directory in the wp-includes folder of one of my WordPress installations, and a few other things that looked suspicious. I went through the entire directory (it seemed limited to my travel journal content) and cleared out anything with a timestamp from the weekend. Once the site was reinstated, I found it had a thankfully nonworking adult site ad in the sidebar, and all my widgets had been removed. Then I noticed the same ad injected onto another site, so it was obviously a larger issue that seemed limited to WordPress files.<\/p>\n
I changed my FTP logins, MySQL database passwords, and WordPress logins to complicated passwords that I’m likely to forget myself. It was a huge pain in the ass, but I figured it was finished.<\/p>\n
This morning, I got an alert that a file had changed on my site, and that there was another phishing site up. I checked the timestamp on that, and it occurred after<\/em> I had changed all the passwords. This was in a directory outside any WordPress installation, which hadn’t been touched in years. I did some more looking, and found a couple password hacks and very suspicious obfuscated php files in a cache folder inside my travel journal. I did some googling, and found my answer<\/a>.<\/p>\n I updated the exploitable file, then went about searching all my directories and deleting random things. They were seemingly unrelated, too, but I did find some scary shell script action going on, which I’m pretty sure is this<\/a>. Then I installed Wordfence, and it found a few more compromised files.<\/p>\n So what I get from this is that there are bots scanning for outdated versions of the file I happened to install with a theme that hadn’t been updated in a while, and using that to launch all manner of attacks. As a programmer I have to say I’m pretty impressed, but GODDAMMIT, KNOCK IT OFF.<\/p>\n So yeah, I’m pretty sure we’re good now, but I’ll be keeping on eye on the traffic reports for any more weird behavior.<\/p>\n","protected":false},"excerpt":{"rendered":" While we were vacationing in Chicago (which was awesome… more on that when I get the travel journal finished), I got an email from GoDaddy saying that my site had been compromised and was being used for a phishing scam. They attached a screenshot of the page, which was an exact replica of the Wells …read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[9],"tags":[],"class_list":["post-3617","post","type-post","status-publish","format-standard","hentry","category-nerdery"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/so9qt-hacked","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=\/wp\/v2\/posts\/3617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3617"}],"version-history":[{"count":3,"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=\/wp\/v2\/posts\/3617\/revisions"}],"predecessor-version":[{"id":3620,"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=\/wp\/v2\/posts\/3617\/revisions\/3620"}],"wp:attachment":[{"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3617"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/queenofsubtle.com\/cm\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}