This blog started as a team project. Like with many things in life, sometimes it works out, and sometimes it doesn't. Due to this fact and the way it was setup. The blog quickly became an orphaned project. To add a cherry on top of that, it got hacked. Thanks to the friendly people over at letsmakeparty3.ga.

The moment you realize

It's not my content

I've had to decide how to proceed once it became clear that I've got hacked. Should I delete it and be done with it? Or try to fix it up again? After some thinking, I've decided to look for some answers first.

  • The first thing I've had to check is what the visitors experience once they land on the blog.
  • Fired up a virtual machine and browsed the main page.
  • I got welcomed by an add of choice, ranging from some game to mature content.
  • The presentation of the original content was gone. Just a loop followed by a redirect to an ad infested external address.
GET requests sent while browsing the landing page

Each of those requests points to the same domain with a specific URL:

https://allow.letsmakeparty3.ga/request?Type=api&query=034

A detailed example of such a request.

{
    "request": {
      "requestId": "823.2",
      "loaderId": "0199CF47E4853990B3D14A0D2DC74C8F",
      "documentURL": "https://www.techguidereview.com/",
      "request": {
        "url": "https://allow.letsmakeparty3.ga/request?Type=api&query=034%2Fwp-content%2Fplugins%2Furvanov-syntax-highlighter%2Fthemes%2Fshell-default%2Fshell-default.css&ver=2.8.12",
        "method": "GET",
        "headers": {
          "Referer": "https://www.techguidereview.com/",
          "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
        },
        "mixedContentType": "none",
        "initialPriority": "VeryHigh",
        "referrerPolicy": "no-referrer-when-downgrade"
      },
      "timestamp": 11043365.486231,
      "wallTime": 1599829290.344689,
      "initiator": {
        "type": "parser",
        "url": "https://www.techguidereview.com/",
        "lineNumber": 29
      },
      "type": "Stylesheet",
      "frameId": "9109E81424335C0CE4E89668078B5C62",
      "hasUserGesture": false
    },
    "response": {
      "encodedDataLength": 0,
      "dataLength": 0,
      "failed": {
        "requestId": "823.2",
        "timestamp": 11043380.703885,
        "type": "Stylesheet",
        "errorText": "net::ERR_CONNECTION_CLOSED",
        "canceled": false
      }
    },
    "initiatorInfo": {
      "url": "https://www.techguidereview.com/",
      "host": "www.techguidereview.com",
      "type": "parser"
    }
  },

Files affected in /wp-content/plugins sending requests

easy-table-of-contents%2Fassets%2Fcss%2Fscreen.min.css&ver=2.0.11" 
easy-table-of-contents%2Fvendor%2Ficomoon%2Fstyle.min.css&ver=2.0.11" 
total-theme-core%2Finc%2Fwpbakery%2Fassets%2Fjs%2Fvcex-front.min.js&ver=1.1.1" 
urvanov-syntax-highlighter%2Ffonts%2Fconsolas.css&ver=2.8.12" 
urvanov-syntax-highlighter%2Fthemes%2Fshell-default%2Fshell-default.css&ver=2.8.12" 

Files affected in /wp-content/themes sending requests

techguidereview%2Fassets%2Fcss%2Fwpex-visual-composer.css&ver=4.9.9.1" 
techguidereview%2Fassets%2Fjs%2Fdynamic%2Fretina.js&ver=1.3" 
techguidereview%2Fassets%2Fjs%2Ftotal.min.js&ver=4.9.9.1" 
techguidereview%2Fstyle.css&ver=5.4.2" 
techguidereview-child-theme%2Fstyle.css&ver=4.9.9.1"

Files affected in /wp-content/uploads sending requests

urvanov-syntax-highlighter%2Fthemes%2Fcommandprompt-custom%2Fcommandprompt-custom.css&ver=2.8.12" 
urvanov-syntax-highlighter%2Fthemes%2Fpowershell-custom%2Fpowershell-custom.css&ver=2.8.12" 
Furvanov-syntax-highlighter%2Fthemes%2Fshell-custom%2Fshell-custom.css&ver=2.8.12" 
wp-content/uploads/2019/01/office365logo.png" 
wp-content/uploads/2019/02/TreeSize-pane.png" 
wp-content/uploads/2019/02/docker-logo-7.jpg" 
wp-content/uploads/2019/12/example_featuredimage.png"

Files affected in /wp-includes sending requests

jquery%2Fjquery-migrate.min.js&ver=1.4.1" 
jquery%2Fjquery.js&ver=1.12.4-wp" 
wp-embed.min.js&ver=5.4.2"
wp-embed.min.js&ver=5.4.2" 

Becoming a proxy for malicious content

Clicking on an article that's supposed to be of any use and seeing intrusive ads is one thing. Losing viewers and your traffic becoming close to non-existent is another.

So where is this party?

Being an adventurer and a massive proponent of parties, I've decided to look for this party myself. Quickly it became apparent where they host all the good stuff. Welcome to the Netherlands! The land of the cheese, the weed, and AS49447. According to urlscan.io, this is the right spot for a party. A lot of those parties are happening over there. Just have a look at the recent scans of AS49447.

While this looks like a fun place to be, I was looking for a rather specific kind of party.

Although the party's location is in the Netherlands, the domain and the owner are having fun at different addresses. Should you have the urge for a party. I've left some contact details down below.

Takeaways

  • Don't leave your website unattended for extended periods.
  • Check for updates regularly.

Finding a cure

Backups, you say?

Having a good backup plan is usually a good idea. Testing it during peacetime, probably even better. While researching this topic, I found out that this hack probably takes place weeks before even being activated. Knowing this and the fact that I've got access to backups going back ten days on the current hosting plan, it was time to look at some other options.

Looking for scripts

Another option was to clean up the corrupted files with specific scripts. While it looks promising, there is no guarantee that it works or that script has no unintended or even intended side effects. Running scripts that read and modify all of the files on the filesystem might have some unforeseen consequences. It boils down to the following:

  • How bad do you need it?
  • Do you trust the author?
  • Have you tried all of the other options?

After answering the above questions for myself, I've decided to skip this step.

Purging the database

Since everything in WordPress resides in a database. It was worth a shot to try and clean up the database itself. Following this StackOverflow submission and replacing all references of 'letsmakeparty' with own domain name seemed to work! I also made sure to update everything and disable any unnecessary plugins.

Replication at it's finest.

Well, it worked for two days. Behold a perfect example of replication when you do not need it. Since I've updated everything to the latest version, there are two possibilities why this happened again. Either something remained that replicated itself, or there are some unpatched vulnerabilities.

Takeaways

  • Make sure to have some regular backups outside of your hosting.

Destroy and rebuild

What are my options?

After some unsuccessful attempts at restoring the blog, I've decided to look at my options again. The first one was to keep trying to fix it, and the other was to build something new.

Destroy

WordPress already not being the preferred option from the beginning. I've decided to say goodbye to WordPress and start from scratch.

Rebuild

Now that WordPress is out of the picture. What's the alternative? Certainly not another PHP replacement. Let's go with a different stack!

Takeaways

  • Don't leave your website unattended for extended periods.
  • Check for updates regularly.
  • Only run scripts from trusted sources.
  • The one thing positive amongst all of this is that it sparked the motivation to pick this project back up.
  • Read about the rebuild process in the upcoming article.