Last night and on through this morning, my site has started coming under heavy attack from all over the world – but mostly out of the Asia Pacific region. More specifically, from Ukraine, Germany, Vietnam, Brisbane and China. What I uncovered was a new hacking technique I had never come across before, attempting to exploit http transports of cloud data services which hackers expected to be connected to my WordPress account. While the incident can be thought of more as a “probe” than an outright “hack,” it did reveal a lot about the strategy they had hoped to employ.
Auditing my firewall logs, it appears as though hackers were first attempting to run XSS attacks against my php file setup, hoping I had made/built custom edits to it through phpMyAdmin (pma) shell at some point or another in the past. When that didn’t work, hackers started probing my site to find out whether or not my account was tied to Oracle WebLogic. For example, hackers repeatedly kept running a string of probes that looked something like this:
There were over 40 more additional logs just like this made over the course of a 12-14 hour time span, from multiple IP’s. Upon investigation, hackers were attempting to do two things; launch a ClientSide denial of service attacks against my website and/or gain administrative privileges to it by hacking/exploiting 3rd party add-on’s/services tied to my WordPress account. What the hackers did not anticipate however is that I run my website through WordPress.com – not WordPress.org. This is important to understand because Oracle’s services can only be installed through WordPress.org accounts, which require owners to set up and host their own name servers/accounts – often times through Oracle, which just so happens to be one one of the Internets largest companies.
While I do not own a WordPress.org account personally, this is something to watch out for. It is also a good idea to write a rule or install a plugin forcing all network traffic through https. You should also block/ban bad query strings and enforce HSTS security headers for each of your pages sites or article. TLS is also a must in 2018. As of 10/17/2018 this information has been reported to both WordPress and Oracle respectively.
Categories: Hacking News