As of about 5 AM the shittening happened again. Sorry to anyone who got hit with the same dumbass redirect. I’ve reverted to the WordPress default theme just in case the issue was the theme I was using before allowing SQL injection…
Here’s what I know so far…
The whole attack seems to be straight outa China.
When it happens, I’ve seen something basically start hammering on mysql (tons of login failures are produced) which is only open to localhost, so I feel like something is kinda being exploited in a roundabout manner to brute force a password and get in. I’ve changed the passwords to stuff that looks like line noise for now.
No idea what it is but I’ve hidden the old Gallery install for now in case that’s the point of entry.
I’ll be doing the good ol’ nuke and pave soon then reimporting all the content. For now, knock on wood, maybe this will just stay up and uninfected for a couple days until I can get around to that.
Maybe the domain name in use for the JavaShit script – getmyconfigplease -dot- com – is a silly clue, like they’re somehow getting hold of the WordPress config file for this attack? I mean, if that’s obtained by an attacker, they’ve got the database credentials handed to them on a silver platter. If that were the case though I wouldn’t expect to be seeing tons of login failures, just a quick and easy in, spam, and out.
I fucking hate computers 😀