During our regular cleanup process we came across a reinfection case that caught our attention. This particular environment didn’t have anything special or fancy, it was an updated WordPress installation and had 3 out-of-date plugins; that’s pretty reasonable. After running through our processes and cleaning the environment we kept coming back to a reinfection; the attacker kept uploading nefarious files on the server. This got us very curious and so we had to dig a little deeper. The malicious files were being uploaded to ‘/wp-content/uploads/gravity_forms’ and ‘/wp-content/uploads’ on Feb 21st, but how? While Forensics is not a default offering and the client was not using our Website Firewall (which would have prevented the reinfection), we do love a good challenge. So why not investigate when the cases are curious – such as this one. Fortunately, we had access to the logs and were able to find some interesting requests to those particular files. With that in mind, we started looking for different variations of “_input_” and found a lot requests to those files. We went back a few days in the logs to find what preceded those requests and where they could have come from. In analyzing
Share This