Answer the question
In order to leave comments, you need to log in
P
P
poshta30052018-11-24 11:13:20
poshta3005, 2018-11-24 11:13:20
Changing site content. Where to dig?
Today, by chance and with surprise, I discovered that in several (not exactly old, but not new) entries, the content with links to foreign film sites has been replaced. The site is multi-user, but everything that the user writes / edits before publication goes to me for verification. And this muck didn’t come to me for verification. Obviously the site has been hacked. But where to dig is not clear. Because:
1. Access to the hosting admin panel - only after SMS confirmation.
2. FTP access - only from my IP.
3. The engine files are all of the same date, when they switched to the new version. Version WP 4.7.0.
4. Subject - handwritten.
5. There are only a couple of plugins, but they are simple and definitely safe (like rus-to-lat).
Those. there are no holes as such.
a) Confused by a few lines in .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
But the file update date is old, maybe it was not the attacker who added it, but me, when I switched to https
To be honest, I don’t really understand this.
b) There is another option that it just picked up my site admin password. Therefore, the substitution of the content of the posts did not come to me for verification. But it even sounds unlikely - this is how many passwords you need to sort out. So it's kind of hard to believe.
Where else could there be weaknesses? How can I replace the content "past verification" by the admin?
Gentlemen, I will be grateful for any hints where to dig and what to look for.
Thank you.
UPD. It looks like there are a lot of such hacked sites .
3 answer(s)
@poshta3005
They showed you where the hole is, say thank you for it, and close it.
Could silently scan other servers from your server and do something bad with them. Or maybe they do it too, but you haven't noticed yet.
@athacker
@lagudal
S
Stalker_RED, 2018-11-24 @poshta3005
Version WP 4.7.0.
Those. there are no holes as such.It's not funny: https://www.cvedetails.com/vulnerability-list/vend...
They showed you where the hole is, say thank you for it, and close it.
Could silently scan other servers from your server and do something bad with them. Or maybe they do it too, but you haven't noticed yet.
A
athacker, 2018-11-25 @athacker
The lines in .htaccess are a redirect from HTTP to HTTPS. These are legitimate lines, in short, they have nothing to do with hacking.
L
lagudal, 2018-11-24 @lagudal
Hacking is most likely through holes in wp, wordpress is generally like a time bomb.
This of course does not mean that they should not be used, you just need to be constantly on the alert.
For starters, you need to check for nasty things, for example, with an aibolite .
If the aibolit does not find anything, take the version where everything is clean (do you have such a backup?), And compare file by file.
In any case, change all passwords, additionally protect the admin panel - there are options, there are plugins that change the path to the admin panel, which cannot be found. You can also play it safe with htpasswd
Check the rights of files and folders, set the recommended ones.
Put a checker in the crown for changing files, there are ready-made solutions, but in principle, you can write the smallest script yourself, and use it to monitor changes in files.
Similar questions
T
D
T
T
Tremo2018-10-06 06:49:06
Do I need to configure http security headers for a mobile application?
0Reply
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question