Last night and on through this morning my site has started coming under heavy attack from all over the world, though mostly out of the Asia Pacific region. More specifically, from Ukraine, Germany, Vietnam, Brisbane and China. What I uncovered was a new hacking technique that I had never come across before, attempting to exploit http transports of cloud data services which hackers had falsely expected to be connected to my WordPress account. While the incident can be thought of more as a “probe” than an outright “hack,” it did reveal a lot about the strategy they had hoped to employ.
Auditing my firewall logs, it appears as though hackers were first attempting to run “XSS Attacks” against my php file setup, hoping I had made/built custom edits to it through the phpMyAdmin (pma) shell at some point or another in the past. When that didn’t work, hackers then started probing my site to find out whether or not I had tied to Oracle WebLogic. For example, hackers repeatedly kept running a string of probes that looked something like this:
While I did not include them here, there were over 40 more additional logs just like this made over the course of a 12-14 hour time span, from multiple locations. Upon further investigation, it appears as though hackers were attempting to do two things; first was to launch a ClientSide “Denial of Service” (DoS) attack against my website and second, they attempted to gain administrative privileges through RCE privilege escalation flaws in 3rd party add-on’s/services tied to my account – such as Oracle WebLogic. What the hackers did not anticipate however is that I run my website through WordPress.com, not WordPress.org, which does not support Oracle‘s services. This is because WordPress.org accounts require owners to set up and host their DNS through an independent web server, such as Oracle – which just so happens to be one one of the Internets largest companies.
While I do not own a WordPress.org account personally, this is something to watch out for. It is also a good idea to write a rule or install a plugin forcing all network traffic through https. You should also block/ban bad query strings and enforce HSTS security headers for each of your pages sites or article. TLS is also a must in 2018. As of 10/17/2018 this information has been reported to both WordPress and Oracle respectively.