No, I was hacked with some stolen user credentials.
I was surprised today when I noticed that someone had posted a new article to this site at 6:36AM this morning titled “3 Reasons to Start Using Dealspaces”. Interestingly enough the user account used to post the article was a test account under my wife’s name that I probably haven’t used in years.
I went looking at the nginx access.log files and found the relevant entires;
213.164.204.89 - - [17/Feb/2021:11:36:17 +0000] "POST //xmlrpc.php HTTP/1.1" 200 141 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"
213.164.204.89 - - [17/Feb/2021:11:36:18 +0000] "POST //xmlrpc.php HTTP/1.1" 200 2253 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"
213.164.204.89 - - [17/Feb/2021:11:36:19 +0000] "GET /2021/02/3-reasons-to-start-using-dealspaces/ HTTP/1.1" 200 9985 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"
The IP address belongs to a Swedish Internet Service Provider named Bahnhof, not particularly helpful as it could have also been a Tor endpoint or exit node. I can tell from the time stamps that the action was likely scripted as there was exactly one second between each request.
Needless to say I immediately deleted the post and the user account that was used to make the post and then changed my own password out of an abundance of caution. I then scoured the entire WordPress filesystem using the recent backup I had to try and make sure that nothing else was changed. I even dumped the database and ran a quick comparision against a recent backup, again looking for any changes or any obfuscated code.
My Thoughts?
Old user accounts are becoming a bigger and bigger problem as the longer they hang around in the wild they will eventually end up being compromised. This is why IT security professionals plead with users to use different passwords on every single website and to frequently change those passwords. Unfortunately in this case I’m going to guess that the password used for this account likely wasn’t very secure (Test123) and that’s likely how the hacker was able to login to WordPress and post the article. So shame on me for yet again falling into the roll of a user.
Are you curious if your user credentials have ever been leaked? Check out have i been pwned?
Cheers!