07-30-2019, 07:11 PM
Fortunately I personally have never had such an experience with Wordpress or other software. A few years ago though, when FreeVPS Directory & Discussion was still active, I have had the chance to help a person with exactly the same issue as you. They also hosted a Wordpress site with plugins and other things for Wordpress. Their VPS suspended by the sponsor. I've been asked to help to investigate the case.
A few key statements to note:
1) They've only used SSH public key login (no password login allowed at the whole system) with a passphrase protected key pair.
2) They've not used a web hosting control panel or similar. Instead they've setup a LEMP stack by hand via command line.
3) They've installed Wordpress and other things by hand.
So the security of the VPS itself was fine actually in terms of SSH and the only attack surface that existed was Wordpress. Maybe worth to note that they hosted multiple blogs via different vHosts and only one was hacked.
Hackers placed a phishing page for PayPal on the server and tried to steal information from people. The provider probably got a complaint which however wasn't forwarded to us or the VPS owner. They only suspended the VPS and later answered to our ticket with the reason and a screenshot of the phising page. The provider was pretty cool with the situation though. They unsuspended the VPS, stopped the web server services and such.
I have investigate it. The files that were placed by the hacker have been hidden by them deep in the actual hacked Wordpress blog. Until to day I have no clue how it was done. I did discover some PHP shell files though and I guess these ended up there through security holes in Wordpress that allowed an attacker to run arbitrary malicious code to upload the shell. PHP shells are a nasty thing since they can bascially use such security holes to run code modifications on the system as ROOT without SSH access.
Well, my two cents about such cases.
A few key statements to note:
1) They've only used SSH public key login (no password login allowed at the whole system) with a passphrase protected key pair.
2) They've not used a web hosting control panel or similar. Instead they've setup a LEMP stack by hand via command line.
3) They've installed Wordpress and other things by hand.
So the security of the VPS itself was fine actually in terms of SSH and the only attack surface that existed was Wordpress. Maybe worth to note that they hosted multiple blogs via different vHosts and only one was hacked.
Hackers placed a phishing page for PayPal on the server and tried to steal information from people. The provider probably got a complaint which however wasn't forwarded to us or the VPS owner. They only suspended the VPS and later answered to our ticket with the reason and a screenshot of the phising page. The provider was pretty cool with the situation though. They unsuspended the VPS, stopped the web server services and such.
I have investigate it. The files that were placed by the hacker have been hidden by them deep in the actual hacked Wordpress blog. Until to day I have no clue how it was done. I did discover some PHP shell files though and I guess these ended up there through security holes in Wordpress that allowed an attacker to run arbitrary malicious code to upload the shell. PHP shells are a nasty thing since they can bascially use such security holes to run code modifications on the system as ROOT without SSH access.
Well, my two cents about such cases.
![[Image: zHHqO5Q.png]](https://i.imgur.com/zHHqO5Q.png)