As of about 5 AM the shittening happened again. Sorry to anyone who got hit with the same dumbass redirect. I’ve reverted to the WordPress default theme just in case the issue was the theme I was using before allowing SQL injection…
the description tag was full of javascript garbage too, wow! (i’ve replaced all references to the offsite script with calls to a dummy file onsite here to sanitize it all quick and dirty.)
Here’s what I know so far…
The whole attack seems to be straight outa China.
When it happens, I’ve seen something basically start hammering on mysql (tons of login failures are produced) which is only open to localhost, so I feel like something is kinda being exploited in a roundabout manner to brute force a password and get in. I’ve changed the passwords to stuff that looks like line noise for now.
No idea what it is but I’ve hidden the old Gallery install for now in case that’s the point of entry.
I’ll be doing the good ol’ nuke and pave soon then reimporting all the content. For now, knock on wood, maybe this will just stay up and uninfected for a couple days until I can get around to that.
Maybe the domain name in use for the JavaShit script – getmyconfigplease -dot- com – is a silly clue, like they’re somehow getting hold of the WordPress config file for this attack? I mean, if that’s obtained by an attacker, they’ve got the database credentials handed to them on a silver platter. If that were the case though I wouldn’t expect to be seeing tons of login failures, just a quick and easy in, spam, and out.
I fucking hate computers 😀
Same thing has happened to a website I manage except we didn’t get any failed login notifications. Did you have any luck cleaning it up? Can’t see much online about it so anything you found helpful would be useful for us too.
Yeah. Turns out I had phpmyadmin installed and they were just directly crapping on the database
We didn’t have that installed but we’d let our site get out of date and didn’t have it very secure. Have wiped and manually reinstalled everything (didn’t use any content back up just in case) and now using better security. Hope yours is resolved too. 👍🏼