It wasn’t a moment too soon – and in fact a few too late – that I moved my site from Wordpress to Hexo. The other two dozen – not just my friend’s blogs – Wordpress sites on the server – with versions from 3.8 to 4.1 – were broken into and scripts created that would send mail. Some interesting features of the hack though!
- They installed PHP with innocuous-sounding files like
gallery.phpinside of plugins and themes for Wordpress.
- They installed a
.sofile, loaded it into the
/usr/bin/hostprogram with a dynamic loader trick, then deleted the
.soso it’d be hard to find. This created a daemon used to send junk mail, and quite efficiently too.
- Having PHP record what URL was posted to when sending mail is the best thing ever for tracking this down.
lsofis great for verifying that things are shut down.
- They wrote to every directory that they had privilege to that was web accessible. Very adept hack.