I know it’s far easier to just sweep this news under the rug….but for the sake of transparency it’s fair to bring this out in the open. If you look at my last post date (feb. 2017), you can see that between consulting and work projects, I’ve let the site collect cobwebs. Needless to say, I’ve been perplexed as to what happened, which is why I feel compelled to inform you.
Details:
I recently received an order for the shop and fulfilled it. The way I do things is I have an email sent to me with the details, fulfill the order, then login to mark it as shipped. Imagine my suprise when the site kept saying my username was invalid. I initated the password reset and my heart sank when I saw:
WHOSE THIS GUY?!?… not mee tho :\
Needless to say, the next step was to look through my raw access files to determine when the change occurred…all 2.36 GB worth….Opening the first file to scroll through now [LOL]…meh, I don’t have time for that… therefore grep it is!
grep -r “faisa69” ./
nothing found….Okay, let’s try another username {redacted}…. Alrighty, so it appears that nothing happens via GET on my access logs when parsing by usernames. I suppose that’s a good thing because it means that login usernames do not appear to be leaking from a malicious script, but right now I don’t know when access was changed sooo…I’m at a dead end 🙁
Okay, I’ve had an hour or so to brainstorm a few more ideas…one that came to mind was to look through my database query history to see when the table was last updated (besides today of course). I find the command
cat ~/.mysql_history
but that yields nothing, just the same after attempting to run it on the production box via SSH…Okay, Im out of ideas until googling lands me onto scuri.net, pretty much suggest the same thing (to parse my log files). I’ve done as they suggested and consolidated them into a single file…admittely, I’m really bad with grep simply because I don’t use it very much nor with too much depth. Lucky me, I’m getting practical experience here w/ 2 GB of goodness…okay so after a bit of trial and error I’v been able to water the behemoth down to about 610 entries (way more digestable!), using this string:
cat access_log | grep /2017 | grep POST | grep https://honeybadgerofmoney.com | grep wp-admin
If I understand correctly, I’m looking for any POST requests under this domain that resolve to /wp-admin/* that occurred this past year. Looking through it, I can’t find anything particular – no unrecognizable IP addresses that resolve with a 200 (success) http response on admin.php pages. Tried it again with:
cat access_log | grep /2017 | grep POST | grep https://honeybadgerofmoney.com | grep admin.php
Worse off, nothing out of the ordinary, AGAIN 🙁 All I’m seeing is logins from myself (matches my user agent string and my IP address) or search crawling from baidu or 360 spider):
Thus again, I am at a dead end 🙁
Damage Control
So far I can’t see if any real damage has been done…honeybadgerofmoney.com is a storefront site but I mainly accept cryptocurrency – I think over the entire history of being online I have only had one paypal order. I do not process credit cards on my site otherwise. There is old order history for past freebies I’ve given away and I have perhaps 15 users that decided to setup credentials on my site for whatever reason – I would perhaps suspect two of those logins to be nefarious – except when looking at roles, I see none of them were changed to admin, which suggests they are indeed innocuous.
Presumably our hacker has taken copies of the names, email addresses, and mailing addresses of past customers. I did not require usernames/passwords to be saved. As per accepted security standards, all my passwords were saved as salted, encrypted hashes. I do not see any posts nor pages that were not created by me. (In case you’re curious, wordpress pages are dedicated markup that can be linked to and can help rank SEO differently than posts which are sequential articles that are generated and stored using a database in a manner differently than pages).
I did notice a few weeks ago that I was getting a password reset request everyday from pexpeppers (which reminds me I need to let them know). Otherwise, nothing looks amiss so I presume the hacker could only change the password to my wordpress admin for this site but not for the others (such as strongarmskeptic) nor could they access my email based on the fact that the password remains the same and I don’t see any outbound emails from the email address related to honeybadgerofmoney.com that I didn’t initiate.
Lessons
Looking through the plugins installed, I saw that I had many old plugins disabled but not actually deleted. I wasn’t a victim of social engineering (as I don’t give anyone passwords over the phone anyway 🤣) so I have to presume that an old, outdated plugin was exploited and allowed the hacker to replace my username and password with one of their own – the system still had my old email in place so it’s probable that they gained access to login, poked around, saw that this site is a minnow target, then moved on. I have since deleted the old/unused plugins and have updated the others. In retrospect, I wish now that I had mysql logging turned on so that I could see precisely when my user information was changed. I’m going to finish off here, but if you have ANY ideas or suggestions for as to how my systems were compromised besides what I mentioned above, I’m all eyes (as you’re typing, not speaking).
PS:
I’m not sure if I intend to disappear into the ether again and to surface later. At minimum I do have two other articles I’ve been sitting on but intend to write eventually, that aren’t already covered elsewhere in our land of Bitcoin, but these days, I’m fully booked in terms of time to set aside for side projects. To you, fellow traveller, thank you for being on this journey with me in cryptocurrency and don’t be shy! I’m always here to answer any question you may have or to share feedback/guideance if need be.
