|
|
|
|
|
|
by arethuza
4430 days ago
|
|
|
Aren't tool like that vulnerable to being replaced with a version that runs the real afick and simply removes all references to anything that the attacker wants to hide? The attacker could then arrange for any activity during the time they were active to be filtered - including the change to afick itself... Do attackers ever try a double bluff and make an attack look like a "standard" script-kiddie attack - which might be regarded as something that can be recovered from without scrubbing the server and starting again, leaving the more sophisticated main attack in place? [NB Been reading a lot of John le Carré recently, which probably explains the paranoia]. |
|
|
More to the point I don't use afick as a detection system but more as a cleanup tool. Typically in most wordpress hacks (I've probably dealt with about 8-10) you'll find that the attackers will target the theme because typically if you "replace all the files on the site" you can't replace the theme, it's unique, unless you've got a clean copy from a backup (assuming you know when the hack took place) then you can't easily replace it with known good code.
But the theme is also the part of the site that changes least, so even an afick database from the first day of the site is sufficiently useful in seeing what files (php, js) have been altered.
Typically, I end up installing afick after I get called in to clean up an existing hack. If it's been hacked once, it may well get hacked again, so I install afick to make the cleanup job easier the second time around.