Yet Another Wordpress Victim - Investigating a Command and Control Attack
· 10 min read
Once again, we found ourselves investigating a compromised WordPress server. In this blog post, you'll see how we investigated the attack and what useful information we have uncovered.
This time, the attack was discovered after a manual inspection on the hosting facility, where we observed several connections initiated by the hosting server to external IPs. This is not something we expected to see, so we did some further inspection. First, we extracted the executable files that started the processes and we upload their hashes on Virustotal. Most of them are flagged as malicious, and we could see some connected IP addresses, but nothing more (a report for one of the files is here).