0

Today I was notified by DigitalOcean that my droplet was hacked and a DDOS attack was generated from it. It was a droplet I used as a staging server for a webapp I will send to production later, and I just need to do vagrant destroy and vagrant up and I'll have my droplet again.

I don't need to recover my data, but I don't want this to happen when I'm in production, so I want to check how I was hacked, where can I start? Is there some standard steps to perform to do this?

If is relevant: It was a Ubuntu 14.04, with WP, Laravel and MariaDB in docker.

techraf
  • 9,149
  • 11
  • 44
  • 62
IAmJulianAcosta
  • 2,465
  • 3
  • 15
  • 18

1 Answers1

1

Without checking too deep, I would say WP is the top risk in that list. I assume its updated, so you should check its settings and the plugins you have installed.

Check this article: https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801

Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback"...

lepe
  • 2,194
  • 2
  • 16
  • 29