While we pride ourselves in our offensive engagements Black Harbor is a full service Cybersecurity consultancy. Recently, we were asked to perform triage of a business website that appeared to be hosting pages with some content that was unknown to the owner. Even worse this site was being identified as hacked by google.
The website in question is hosted in digital ocean and contains few subdomain instances of WordPress. Right away we correctly assumed that we were looking at an issue with the WordPress installation vs. a server vulnerability/exploit. The client mentioned that they started having issues sometime in September. An initial search of files modified in September in the WordPress directories revealed that in the root of one WordPress directory was a file named
indexbak.php created on 4 September. This file peaked our interested as most WordPress backup plugins use
bak as a file extension such as
Doing a search for all files written to the primary WordPress subdomain directory on 4 September revealed the following files.
Immediately we can see that the contact-form-7 plugin had a wp-index.php index file written to it which again, is unusual for a WordPress installation.
Voila. The smoking gun. A remote file upload vulnerability in contact-form-7 gave this attacker initial access to the host by using an sql query to create an administrative user. From there the user was able to execute commands and upload plugins to other WordPress installations to spread their malicious SEO redirect takeover.
Another fun artifact is the recon mechanism used to send notification of access to the vulnerable server via telegram API. (Yes we know the api keys are exposed. We don’t care to protect criminals.)
Luckily for this client remediation was simple. We revered to a confirmed good snapshot that was within a few days of the incident and had them patch all plugins to the latest version to reduce the exposed vulnerable attack surface.
The key takeaway to this incident is the client was diligent in updating plugins on their primary site. However they had forgotten about subdomain WordPress installations and those went unpatched. It’s common for clients with even small web footprints to forget about development servers, test files or not check for left over exposed configurations that applications will sometimes leave behind during the install phase. This is why it is critically important to constantly evaluate what footprint applications or websites expose publicly.
Get in touch with us at firstname.lastname@example.org if you are interested in attack surface assessments to avoid problems such as this!