Hacker News new | ask | show | jobs
by dageshi 4431 days ago
After dealing with quite a few hacked wordpress sites. My general advice is to install something like afick on site creation.

http://afick.sourceforge.net/

Then you do have a reasonable idea of what's actually been modified after the fact.
1 comments
arethuza 4431 days ago
Aren't tool like that vulnerable to being replaced with a version that runs the real afick and simply removes all references to anything that the attacker wants to hide?

The attacker could then arrange for any activity during the time they were active to be filtered - including the change to afick itself...

Do attackers ever try a double bluff and make an attack look like a "standard" script-kiddie attack - which might be regarded as something that can be recovered from without scrubbing the server and starting again, leaving the more sophisticated main attack in place?

[NB Been reading a lot of John le Carré recently, which probably explains the paranoia].

link
dageshi 4430 days ago
Oh all that is certainly possible. As a rule most of these attackers don't really know what afick is or if they do they simply don't care, most wordpress attacks are for the purposes of malware/SEO spam, so it's really a numbers game, figuring out how to quietly subvert afick is a waste of time for them.

More to the point I don't use afick as a detection system but more as a cleanup tool. Typically in most wordpress hacks (I've probably dealt with about 8-10) you'll find that the attackers will target the theme because typically if you "replace all the files on the site" you can't replace the theme, it's unique, unless you've got a clean copy from a backup (assuming you know when the hack took place) then you can't easily replace it with known good code.

But the theme is also the part of the site that changes least, so even an afick database from the first day of the site is sufficiently useful in seeing what files (php, js) have been altered.

Typically, I end up installing afick after I get called in to clean up an existing hack. If it's been hacked once, it may well get hacked again, so I install afick to make the cleanup job easier the second time around.

link
jqueryin 4431 days ago
In all honesty, I'm not particularly sure most of the script kiddie type hackers attacking Wordpress and Drupal have the skillset to figure this out. They're picking off low hanging fruit IMO. This doesn't ring true for all of them, i.e. those expanding a global botnet, but most of them are skilled in the art of running a script and uploading files to a web directory with basic `chown` and `chmod` perms.
link