Trova il buco della sicurezza sul mio sito e prevenilo [duplicato]

6

L'ultimo giorno ho notato che il mio sito wordpress è stato violato e una shell backdoor PHP è stata installata sul mio sito. Virus scanner ha segnalato che un file di plug-in si trova nella mia wp-content/uploads che non ho caricato personalmente. Comprendeva un plugin per wordpress più alcune shell php.

Non so come sia stato inserito questo file, utilizzando questo file, l'hacker potrebbe accedere alla cartella principale del mio host, creare file e modificare i permessi del file per consentirne l'esecuzione.

Non so come possa aiutare l'hacker e qual è stato il vantaggio per lui / lei, ma lui / lei è riuscito a creare un file sul mio host e rivendicare il mio sito come sua proprietà su google search console. Voglio sapere:

  1. Come posso trovare il buco di sicurezza sul mio sito?
  2. Qual è stato il vantaggio per l'hacker di rivendicare il mio sito come sua proprietà sulla console di ricerca di Google? L'ho rimosso dalla console di ricerca di google del mio sito ma desidero conoscere i rischi che potrebbe comportare per me.

Sto usando wordpress 4.6.9, ho usato plain-ftp qualche volta per i trasferimenti di file che immagino possa mettermi nei guai ma non ne sono sicuro. Ho anche notato un cambiamento nelle dimensioni del database e dell'uso del disco host.

> [09/May/2018:11:23:46 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45264 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
[09/May/2018:12:01:48 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45165 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
[09/May/2018:12:22:13 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
[09/May/2018:12:22:15 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
[09/May/2018:12:22:17 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 17044 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
[09/May/2018:12:22:19 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
[09/May/2018:12:22:20 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1"
[09/May/2018:12:22:27 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 16927 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
[09/May/2018:12:22:29 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"
09/May/2018:12:22:31 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 17044 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
[09/May/2018:12:22:34 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 48900 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
[10/May/2018:08:28:53 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:28:57 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:28:59 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:02 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:04 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99024 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:06 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99033 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:08:29:08 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99062 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[10/May/2018:11:08:58 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45215 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)"
 [11/May/2018:08:51:13 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45110 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2913.70 Safari/537.36"
 [16/May/2018:06:33:19 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45322 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:51.0) Gecko/20100101 Firefox/51.0"
[16/May/2018:09:11:02 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 48747 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
[16/May/2018:09:11:06 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G935F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
[16/May/2018:09:11:08 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 24576 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G935F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
 [16/May/2018:09:11:20 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 301 0 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
 [16/May/2018:09:11:25 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 16891 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
 [16/May/2018:09:11:29 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 16941 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
- [16/May/2018:09:11:32 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 16963 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
- [16/May/2018:09:11:35 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 16891 "http://my.site/wp-content/plugins/background-image-cropper/image/ico/search.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
 [16/May/2018:09:11:27 +0430] "POST /wp-content/plugins/background-image-cropper/image/ico/dump.php HTTP/1.1" 404 40109 "http://www.my.site/wp-content/plugins/background-image-cropper/image/ico/dump.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36"
[17/May/2018:16:16:14 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:16 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:18 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:21 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:23 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99562 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:26 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99676 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[17/May/2018:16:16:28 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 99676 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
 [23/May/2018:16:46:27 +0430] "POST /wp-content/plugins/background-image-cropper/wp-post.php HTTP/1.1" 404 81920 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"
 [23/May/2018:16:46:57 +0430] "POST /wp-content/uploads/kc_extensions/background-image-cropper/wp-post.php HTTP/1.1" 404 99574 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"
 [24/May/2018:15:40:32 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45263 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2904.89 Safari/537.36"
 [28/May/2018:14:35:16 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45712 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)"
[29/May/2018:12:22:32 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 90112 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[30/May/2018:01:44:44 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 45559 "http://my.site/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2703.62 Safari/537.36"
[31/May/2018:05:44:23 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[31/May/2018:05:44:24 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[31/May/2018:05:44:25 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[31/May/2018:10:04:27 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:29 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100303 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:31 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:33 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:37 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100332 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:39 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100560 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"
[31/May/2018:10:04:42 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100560 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36"

[01/Jun/2018:09:38:38 +0430] "GET /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100339 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:09:38:40 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100310 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:09:38:43 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100339 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:09:38:47 +0430] "POST /wp-content/plugins/background-image-cropper/accesson.php HTTP/1.1" 404 100339 "http://ya.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
[01/Jun/2018:16:06:12 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101532 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[01/Jun/2018:16:06:19 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101503 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[01/Jun/2018:16:06:25 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101532 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[02/Jun/2018:07:24:00 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[02/Jun/2018:07:24:05 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[02/Jun/2018:07:24:11 +0430] "POST /wp-content/plugins/background-image-cropper/opn-post.php HTTP/1.1" 404 101421 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
[07/Jun/2018:16:40:49 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 90112 "my.site" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"
[07/Jun/2018:23:28:13 +0430] "GET /wp-content/plugins/background-image-cropper/image/ico/search.php HTTP/1.1" 404 98304 "my.site" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36"




[09/Jun/2018:14:32:25 +0430] "GET /wp-content/uploads/2018/05/background-image-cropper.zip HTTP/1.1" 404 101833 "http://my.site/wp-content/uploads/2018/05/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:33 +0430] "GET /wp-content/uploads/2018/05/background-image-cropper.zip HTTP/1.1" 404 101833 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:44 +0430] "GET /wp-content/uploads/2018/05/background-image-cropper.zip HTTP/1.1" 404 24684 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/05/Image_4-1-310x165.jpg HTTP/1.1" 200 13261 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/03/3338870a59339803fde5c832a78dc735-310x165.jpg HTTP/1.1" 200 12743 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/04/%D8%AD%D9%85%D8%A7%D9%85-1-310x165.jpg HTTP/1.1" 200 12613 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:57 +0430] "GET /wp-content/uploads/2018/05/Image_10-310x165.jpg HTTP/1.1" 200 19456 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:58 +0430] "GET /wp-content/plugins/WP_Visual_Chat/assets/images/administrator-2-128.png HTTP/1.1" 200 2999 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:58 +0430] "POST /?wc-ajax=get_refreshed_fragments HTTP/1.1" 200 411 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
[09/Jun/2018:14:32:58 +0430] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 35 "http://my.site/wp-content/uploads/2018/05/background-image-cropper.zip" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
    
posta VSB 10.06.2018 - 10:59
fonte

1 risposta

15

hacker could access root folder of my host, create files and change permission of file to allow them to be executed.

Quindi hai sostanzialmente un compromesso illimitato del tuo sistema e questo include tutti i dati utente, le password del database, le chiavi API ...

Ragazzo, hai alcune password da cambiare. Buon divertimento.

Se il tuo sistema è ancora in esecuzione: Falla . A questo punto, il tuo server non è il tuo. Dici di notare cambiamenti nel database e nell'utilizzo del disco dell'host e le migliori spiegazioni potrebbero essere tra l'abuso del tuo sistema come bot di pubblicazione annunci, il backup di controllo e comando di alcune botnet e la distribuzione di pornografia infantile.

Il cambiamento nella console di ricerca di Google potrebbe indicare un utilizzo piuttosto benigno (pianificato?) in uno schema in cui il tuo sito doveva essere modificato per generare entrate pubblicitarie illecite o semplicemente come spedizioniere verso un sito diverso. In ogni caso, indica che l'acquisizione non è avvenuta solo per estrarre la crittografia, quindi è probabile che l'autore dell'attacco originale avesse un diverso rischio di rilevamento / profitto in mente.

Fermalo. Salvare un'istantanea per un'indagine successiva / prova di innocenza. Sistema di appiattimento. Crea un sistema nuovo, minimale.

Tutto ciò indica che non valeva davvero il tempo di capire il buco della sicurezza. Il tuo sistema era insicuro e sarò onesto: probabilmente tutto inizia con l'esecuzione di WordPress con plugin casuali. Quindi, con tutta l'onesta brutalità che posso portare in faccia a qualcuno che probabilmente "vuole solo gestire un sito web":

Scarica Wordpress.
Oppure eseguilo solo localmente sul tuo computer per generare siti statici e caricarli. Ma a quel punto, altri CMS diventano molto più comodi da usare. Esegui il tuo webserver in un contenitore, separato dal database, con accesso in sola lettura ai tuoi contenuti / script serviti; SELinux rende oggi molte cose più semplici da configurare in modo più sicuro. Usalo; Ho visto più di una shell di PHP ostacolata da un semplice "no, quel processo non può accedere a nulla se non alle cartelle a cui era destinato l'accesso" che SELinux offre. Questo è tutto "standard" in questi giorni, e tutto sorprendentemente facile (a meno che tu non segua qualche brutto tutorial che ti dice di "fermare SELinux, perché è difficile da usare". Ti guardo qui, digitalOcean.)

I've used plain-ftp

Non buono. L'FTP incapsulato TLS è attualmente disponibile su qualsiasi sistema. Oppure vai direttamente per SSH / SCP (protocollo di elenco file migliore di FTP); in ogni caso, questo è solo un problema di sicurezza se la parte malintenzionata è stata in grado di intercettare. Ma ciò può accadere nell'hosting condiviso, in WiFis, nelle reti domestiche ... così, no, l'accesso non crittografato a un server semplicemente non è necessario e può essere evitato senza costi aggiuntivi o complessità. Non farlo.

    
risposta data 10.06.2018 - 11:17
fonte

Leggi altre domande sui tag