Blue Team Labs — “Log Analysis — Compromised WordPress”

3 min readAug 20, 2023

Scenario:

One of our WordPress sites has been compromised but we're currently 
unsure how. The primary hypothesis is that an installed plugin was vulnerable
to a remote code execution vulnerability which gave an attacker access to 
the underlying operating system of the server.

TL;DR

WordPress site compromised
Hypothesis is that a plugin was vulnerable
vulnerability was RCE
We have log files to sift through

To find this information, I went ahead and used “grep” to search for the keyword “login” from the output. and found the answer clearly with the token included. It is “/wp-login.php?itsec-hb-token=adminlogin”

2. For this one, I took the easiest route and just brute-forced it. I used “GREP” to look for common tools that are used to enumerate and exploit word-press applications. I finally found “wpscan” and “sqlmap”.

3. This one required that I do some research. I first searched for the CVE under searchsploit, but I found a lot of vulnerabilities. so to scope it down, I googled “Contact Form 7 CVE RCE”. and I found CVE-2020–35489.

The vulnerability allows Contact Form to bypass any file format restrictions and allow an attacker to upload a malicious executable on a site that has file upload enabled and runs an outdated version of the plugin.

4. This one was the simplest to answer but it was very hard to find the exact format we need to use in the platform. I used this command to filter out plugins directory from the logs. then I found multiple plugins, so I researched and saw that there exists a vulnerability for “simple-file-list”.

However, I think this method might not be the correct way to reach the conclusion, as in a real-life scenario, there would be no answer box to confirm my analysis. If you happen to discover a more effective approach to find the solution, please don’t hesitate to get in touch and share!