we found more sites, which was hacked very fastly after LE generated.
Our clients start installation after LE was green, but in meantime (max 15 minutes after LE) robot from 185.59.221.* come and use WP installation files to prepare hack. Days after - on all domain call malware script and start DDOS to IP from France. I think that it is because crt.sh is scanned.
Here info too: Unknown file in WordPress core: wp-includes/.query.php | WordPress.org
Malware script was wp-includes/.query.php
Any idea what with this?
More likely they are directly polling the CT log servers, as the delay to detect new domains is much shorter. But yes, what you describe has been happening for a few years now. I see requests to paths like
/.git/index within seconds of issuing new certificates!
Out of interest, which malware protecting plugins do you have installed in WordPress?
WordPress is often vulnerable as soon as you install plugins (like gallery modules, forms etc) especially if you are self-hosting and especially if plugins are not updated regularly/automatically.
Again. It is fresh uploaded wordpress, which is not installed yet (so installation wizard is there). After create LE, in minutes bot access to site and use installation files to hack.
Normally - our clients use Wordfence.
I see, you should raise this as a security vulnerability with the wordpress developers, they could randomise the install URL and present it only to you in the console, or require a one-time token.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.