Unhandled sFTP connection not detected

  • Resolved Syncly.it

    (@elnath78)


    4 years, 6 months ago

    on one of the websites controlled to Wordfence Central, someone was able to connect apparently using sFTP, he was then able to donwload wp-config.php file and then upload any sort of payload to download the whole website. For the little I can understand he didn’t force WordPress bur probably something on the hosting machine, how do I climb the ladder and understand how they did in this case?

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hey @elnath78,

    Firstly, if you haven’t already please change all passwords including WordPress, sFTP, database, and hosting control panel.

    As to how they were able to do this, I’d suggest reaching out to your host for their thoughts. They need to be alerted of this as it sounds like a server-level compromise and other sites on the server could be experiencing the same issue. If it is a server-level compromise Wordfence wouldn’t be able to defend against it.

    I’d also suggest working through the guide below to clean the site. However, if the infection returns or you’re not comfortable with this I’d suggest reaching out to professional hack repair service. Seeing it seems to be a server-level compromise, your host may help with this as well.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

    Thread Starter Syncly.it

    (@elnath78)

    Hi @wfgerald

    They cleaned all the payoads, the hosting company is Cloudways, from the log it seems they were able to login via sFTP. The website was not harmed but stolen, other websites were not relevant for this purpose.

    That you know of, does this hosting have faulty sFTP service that let everyone in? They even cleared the Breeze cache just to make sure. I have the logs showing tests and payloads upload/delete of the the payloads after, their purpose was to steal the website files/database tables to replicate the website.

    if you have a private e-mail address I could forward you the logs. Or better then a p2p Telegram account so we are sure that only us could read it.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Unhandled sFTP connection not detected’ is closed to new replies.