This time it was not my WP site. Rather somehow they managed to attack my html/* directory directly. I thought I had locked up access but it seems I missed something somewhere.
The attacker installed a new directory and some php files and a directory of files with sha’s for names into my account and added an .htaccess file to my html-root to invoke the php.
- blackbirds-hurricane.php : has a reversed string to eval (base64_decode) <some big long string I guess I need to decode> .
- dir.php :
Fortunately I have my account backed up in a git project locally so I can quickly diff what the heck is going on by scp-ing my site over my local copy and run “git diff” to see the new files and changes. This attack did not change existing files. It added files .htaccess and the php files commented above.
I don’t know how they got access to my http document directory yet. But, I’ve restored the site to what was there before and closed up an old django prototype I had running on my site (just in case that was the attack vector)
But, some interesting notes:
- in python to revers a string use something like my-long-string[::-1] (worked great)
- to decode use base64 –decode. (cat decode.me | base64 –decode > decoded.file)
- The decoded attack was a php file that had the following URL hidden in it f.gghijacktest.com
- when I went to this url the page is an empty document.
- http://wa-com.com/gghijacktest.com shows that the attackers are from France. Wow, that’s a change from the Slavic attacks I’m accustom too.
Thanks to google for flagging the attack!