How I Stopped a Website Hacker in Mid Hack

I recently received an email from a friend.  He fortunately has the free version of Wordfence installed on his website. Wordfence sent him this alert:

An admin user with the username backup was created outside of WordPress.

He forwarded the email to me and asked, “What does this mean?”  My reply was, “You’ve been hacked.”

Within minutes, we received a second email from Wordfence:

A user with username “backup” who has administrator access signed in to your WordPress site.
User IP: 54.153.186.4
User hostname: ec2-54-153-186-4.ap-southeast-2.compute.amazonaws.com
User location: Sydney, Australia

The interesting thing is the host name: it contains amazonaws, clearly indicating that it is a bot. (Hackers love to use Amazon Web Services to host their automated hacking tools.)

The first thing I did was to log in to his website and and upgrade his copy of Wordfence to Premium using one of my spare Wordfence Premium licenses.  That allowed me to block the hacker’s IP address.  I also blocked:

• Anything with “amazonaws” n the host name
• Anything originating outside the USA.

When the immediate threat neutralized, it was time to analyze the attack. Rather than just delete the user named “backup”, I went into the database to examine the records associated with this user named “backup”.  It was clear that the hacker’s bot had added the bare minimum to the WordPress database that would allow the “backup” user to log in.  Having gleaned all I could from the database, I deleted the user named “backup”

This attack had al the indications of a SQL injection attack. His copy of WordPress was current, so I started his plugins.  Bingo.  One of his plugins was an older version that contained a SQL injection vulnerability. I then discovered that while the plugin was installed and activated, it was not used in his website anywhere.  Therefore instead of updating the plugin, I deleted it.

My final task was a precautionary one: Change all the passwords, including his database password, FTP password, and cPanel password.  I also:

• Installed plugins that would block RPC-XML and REST API access. (Reduce your attack surface as much as possib.e)
• Instructed my friend to buy his own Wordfence Premium license.

Of course, there is the chance that the hacker got in via some other means, and so I told my friend to monitor his website closely.

It’s also worth noting that had he been a subscriber to my WebsiteOverwatch service, our firewall would have blocked the SQL injection attack in the first place.