I did reach out to the mods and hour before posting – they’re likely touching grass. Hope this post is okay.
I recently created setup a small VPS to host some personal “development” WordPress websites. I used the CyberPanel WordPress installer – which thankfully had the latest version there. It’s similar to the Softaculous installer, in that you provide all of your details and the installer gets to work. Unfortunately it had a hard time creating the database so I manually sorted that out. It then randomly failed part way through due to an unknown error. So I downloaded a copy of WP 6.2.2 from source and dropped it over the top of the failed install in the public directory. I then ran through the installer manually.
As far as I was concerned, WP was up and running and the playtime began – for just 2 days.
Came to install a plugin on the website this morning and find that the wp-admin\\plugin-install.php is giving me a 403 Error. This strikes me as odd so I SCP into the server to check out the file and do some debug, to find it’s modified date is only a few hours ago. Stranger still, the contents of the file are a 403 Error itself from the Litespeed Webserver – nothing malicious so far.
I’m about to drag over a replacement plugin-install.php when I notice the wp-admin/maint folder has also been updated recently. In there I see an extra file “lock360.phTML” – oh dear.
It’s a test site, so I nuke it from Orbit – it’s the only way to be sure. I pulled off the logs and found the relevant POST requests. These two lines made my heart sink:
“POST /wordpress/wp-admin/setup-config.php?step=2 HTTP/2”
“POST /wordpress/wp-admin/install.php?step=2 HTTP/2”
This is NOT where I installed WordPress to, or so I thought. After the perp setup his frash new copy of wordpress and installed a few plugins, they managed to get a remote terminal installed that gave them carte blanche to the whole site. Goneskies!
To be clear, I instructed CyberPanel to install WP in the root of the public folder, no subdirectories here.
So what did I learn here. Don’t trust the CyberPanel WordPress installer for starters. I’m still not clear in my head, why there was an additional “wordpress” folder within my public directory; the dates do check out from when I installed the site. When I copied the contents of the [Wordpress.6.2.2.zip]) file into the public directory, it certainly overwrote all of the files you would typically expect to see in a normal installation.
Every day is a school day, don’t get burned.
[ad_2]
Quick update, it seems that the [Wordpress-6.2.2.zip]) file has the install within a wordpress folder. CyberPanel isn’t totally clear, but I’ve definitely messed up here.