Update Nov 18 - BleepingComputer was tipped about a recent fix on the Directorist plugin, addressing a bug that allowed low-privilege users to run arbitrary code.
Sucuri suggests the following security practices to protect WordPress sites from being hacked: Sucuri has tracked approximately 291 websites affected by this attack, with a Google search showing a mix of cleaned-up sites and those still showing ransom notes.Īll of the sites seen by BleepingComputer in search results use the same 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc Bitcoin address, which has not received any ransom payments. This was not an isolated attack but instead appears to be part of a broader campaign, giving more weight to the second scenario.Īs for the plugin seen by Sucuri, it was Directorist, which is a tool to build online business directory listings on sites.
Wp user avatar hacked password#
This means that the infiltrators logged in as admins on the site, either by brute-forcing the password or by sourcing stolen credentials from dark web markets. Upon further analysis of the network traffic logs, Sucuri found that the first point where the actor's IP address appeared was the wp-admin panel. In addition to displaying a ransom note, the plugin would modify all the WordPress blog posts and set their 'post_status' to 'null,' causing them to go into an unpublished state.Īs such, the actors created a simple yet powerful illusion that made it look as if the site had been encrypted.īy removing the plugin and running a command to republish the posts and pages, the site returned to its normal status. WordPress plugin used to display ransom notes and countdown
0 kommentar(er)
