Hacked ⛏️ ⛏️ ⛏️ ⛏️ kind off

So yesterday evening I wanted to look something up in my own blog. At least my blog posts are useful more myself sometimes 😉. My site behaved differently, the content was there, but not styling. The first thing that came to my mind was that my CDN was down, so I looked into the Chrome Developer Tools and BAAAM!

My site requested like 5 javascript files from pastebin with suspicious names (not that loading files from pastebin wouldn’t be suspicious enough). Everything after that initial rendering the DOM was blocked by these scripts.

So what happened?

Instead of just pulling out a backup and rolling it over the hacked version, I wanted to understand, what’s wrong there. I got some mechanisms on my servers, that would recognize, if files are changed, or if someone is trying to access my server. Actually it couldn’t have happened through SSH or root access. Next I checked my logs for user logins. Also nothing. Only me from my IP address. I searched the code for links to pastebin. Again nothing.

A quick research on https://wpvulndb.com/ opened my eyes. The GDPR plugin I use, and probably a ton of people… It opened a backdoor, where could use the REST API of WordPress to just do everything.

And that’s what happened to me. I mean, the attacker could have done worse things to my page (which I am quite happy, that he didn’t). He only enqueued some scripts and changed some settings in the database. So I could easily pull out a backup, sync it and I was done.

But the feeling of “OH FUCK, I GOT HACKED”, I can tell you, is not that nice in the evening. See you tomorrow! 👋

Leave a Reply

Your email address will not be published. Required fields are marked *