Skip to content

Not Again! Cracked! Well, at least defaced…

WordPress has been kicking my a$$ recently.  First at Cordell and now on – either defaced or spamming with an ancient captcha.

Let’s chat about Cordell first.  We had some guys build a WordPress site maybe five years ago and it seemed to work okay.  We were using a couple (alright, maybe just one) of plugins but lots of custom code including a contact form.  Yeah, I know but someone wanted an additional contact form and that’s the way that it went down and five years later I inherit the site.

The contact form had an early captcha integrated rather than built as a plugin and, well, it just got old and easy to miss.  Wordpress and the plugins stayed pretty current but the captcha stayed buried and wound up biting me.  The first signs of a problem was basically a denial of service attack.  The cracked captcha allowed 25K email connections a day and with the added overhead of the DNS lookups, the aging hardware in our rack began to tip.  The WordPress site is hosted at Hurricane Electric and they didn’t even seem to notice but when our LAN connectivity began to fail, I dropped to the logs to see who was doing what to whom.  I’m spamming me?  I guess that I should have seen that coming…

I installed the latest (4.7.1), restored the files, restored the database and stepped back to watch.  That lasted for two days.  This time the boys at HE called me after some other customers complained about the spam problem. At least they didn’t take my site down, right?  I dumped the hand crafted captcha and replaced it with a plugin that’s current.  Boom.

Fast forward two months and gets defaced!  What?  I’m running 4.7.1!  Wait, there’s 4.7.2?  Oops….  So I’m apparently not alone in my downrevedism.  And the guy that defaced my site got defaced.  Wow, try to keep up here.

Feb 4 – 1:54pm NG689Skw
Feb 5 – 8:41am MuhmadEmad overwrites
Feb 5 – 11:14am verifying the hack
Feb 5 – 11:38pm verifying the hack from a different machine
Feb 6 – 7:15am, 11:02am, 12:28pm, 1:32pm – verifying the hack
Feb 6 – 7:43pm repaired
Feb 6 – 7:44pm Lightweight from offshore and too late
Feb 7 – 7:17am Lightweight from offshore and too late

So I bumped WordPress to 4.7.2 and rolled back MuhmadEmad’s defaced page past NG689Skw’s defaced page to a page that I wrote (some might call that defacement) and all better.


Post a Comment

Your email is never published nor shared. Required fields are marked *