Guys, this is strange. I’ve created a new user on a VPS, so it was completely isolated from all other users. I got him a new domain, uploaded clean wordpress files, and since there was a database problem, I left it like that for a week. Brand new subdomain that no one knew about.
5 days after these files were uploaded, they were infected.
\- new user, isolated from the server, so no infection from other user?
\- wordpress was not even running, there was not even a database to begin with, just files
\- completely new subdomain with name hard to guess.
So, what’s going on? My system is infected? No other servers were infected, and I access many of them.
Bots are so good at scanning?
Somehow when I entered the new domain address (to see, if it was redirected correctly) a message was sent?
VPS is infected? No other users have problems.
I’m at lost.
[ad_2]
So there are bots that crawl for new wp-installations.
It appears you were unable to complete the installation due to a database error.
And you left if long enough to invite someone to do it for you.
If only the files are uploaded the WordPress installation screen would be accessible, which would allow an attacker to connect their own external database, set up WordPress and upload files etc.
Bots will constantly scan IPs for vulnerabilities, but it could also be a bot scanning the SSL certificate transparency logs.
If a certificate was recently issued for the domain they could find the domain very quickly. If you can lock down the site to your IP address until the set up is done or connect the database immediately.
A similar incident occurred with me a few months ago. I had a brand-new website on a sub-domain with indexing turned off. Assuming that “nobody knows about it,” I failed to protect the site, resulting in a hack within a week. This assumption was incorrect; bots scan the internet rapidly, so I learned my lesson – that it’s crucial to protect our sites from day one.