WordPress

‘Hacked Sites’ Other attack vectors

A good friend of mine contacted me recently. He thought his website had been hacked and asked me if I could take a look and get him back online. A quick attempt to access his site via web browser did reinforce that belief. Viewing the site in Chrome bought you to this message;

hacked site
Example of what his site was displaying

Hooboy. Something I can sink my teeth into! I got his credentials for hosting, and started to investigate his WordPress install. I checked for the usual signs of infection; odd files in the WP directories, modified core PHP files – nothing stood out.

Routing Revelation

Whilst about to commence checking log files he gave me a crucial bit of information. His custom @domain.com email wasn’t working either….

That changed everything!

His email was hosted with the company Zoho – whereas his website sat hosted on GoDaddy servers. This indicates the problem most likely doesn’t reside with the web server but something further up (or down depending on perspective) the line!

One of the more common attack vectors used by attackers when targeting WordPress sites usually revolve around out of date plugins. Keeping the plugins you use to a minimum and patched will reduce a lot of risks. (I can help with this).

However, a hacker gaining access to a WordPress site would not affect email routing . I immediately checked his GoDaddy Web Server IP address;

160.xxx.xxx.xx

A quick jump over to whatsmydns.net to discover his entire DNS records pointed to;

45.xxx.xxx.xxx

DUN DUN DUNNNN! Googling the IP range revealed the host to be Digital Ocean although the droplet was long since deactivated. This implies the culprit is a compromised DNS! The actual motto for the Sysadmin subreddit is encapsulated in the picture below;

hacked dns
Credit: u/tedjansen123

As expected, his DNS registrar account was compromised from an old password dump and his domain records were all pointing to the previously mentioned Digital Ocean droplet.

After changing his password and advising him to do that for ALL services that used that password/email combo he was back up and running.

Despite the flack that WordPress gets from a security perspective – it’s still a very robust CMS. It powers 34% of the internet and as with anything popular, it’s become trendy to hate/look down on in certain circles (much like Microsoft/Apple/*nix in the early 90s).

With the digital landscape changing so rapidly there are so many other methods and exploits hackers can try, maintaining vigilance has never been more important. Below is a quote I read in a SecOps article thats stuck with me as accurate.

Hackers only need to get it right once; we need to get it right every time

Chris Triolo, vice president of Professional Services, Education and Support, HP Enterprise Security Products.

Michael Burdett
Web & App Developer