My mother just told me that her website suddenly disappeared. This website is hosted by GoDaddy and uses cPanel and WordPress. Looking into it, everything under public\_html was deleted.
Looking at the logs, the last interaction that occurred with the site before it began returning a 404 was the following:
178.210.165.247 – – [01/Nov/2022:20:05:50 -0700] “GET /wp-content/plugins
/gutenberg/naz.php HTTP/1.1” 301 – “http://simplesite.com” “Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US) A ppleWebKit/533.4 (KHTML, like Gecko)
Chrome/5.0.375.99 Safari/533.4” 532
That IP is reported in the AbuseIPDB as an ip that performs a “WordPress Brute Force Attack ” and probes for known vulnerabilities. This suggests to me that the bot did find a vulnerability and somehow this lead to the destruction of the site – but I am trying to understand this in more detail. I don’t have any experience with php.
I have looked at the source code of the gutenberg theme on github, and there is no ‘naz.php’ file associated with it. Am I right in thinking that this is the likely offender? If so, what does GET /wp-content/plugins/gutenberg/naz.php actually do? Is some php code being run on their end, or the plugin must have already have malicious code in it? Would this kind of exploit also have given them access to private information stored in the server, or it is more likely that it is only capable of destroying files?
[ad_2]