Vuln!! Path it now!!

Hello,

The text Vuln!! Path it now!! is simply the title of a post that someone created in that website. If your friend searches a post with the ID 1195, they will be able to find the post or page with the suspicious content. They can visit the page using this link [1] where “example.com” is obviously their real website.

Also, you should know that some plugins use the same posts table to store data. It is possible that your friend installed a plugin that allows people to submit text, for example, a contact form, feedback page, or something similar. The plugin has no way to distinguish them other than using the “post_type”.

He installed a backup. His site is and was updated.

Considering this, the post may not exist anymore, and they will not be able to investigate further. Having a copy of the database after the alert was sent would be helpful. But if they already installed a backup, from before the event was triggered, then —unfortunately— there is nothing to investigate.

Let me know if you need more information.

[1] https://example.com/?p=1195

Hi!

I’m the one he’s talking about ?? I actually have a backup of the database after the attack (created by UdraftPlus). I’ve searched the DB dump for the “Vuln XXX” string above but couldn’t find anything. Also, the post with ID 1195 has not been modified. Everything looked like before the attack. I restored the website to a clean state, just to make sure… The attack repeated a day later and since then I’m blocking the IP range it came from.

Is it possible that Sucuri sents these “Post Update” warnings when someone *tries* to update a post but actually fails to do so? That would at least make sense in this case…

Here’s an example of a page where the attack succeeded: https://www.evesca.com/x-htm/

Hello @weepee,

Let’s take a look…

• The message comes from function SucuriScanHook::hookPublish()
• The function runs when a publish_page event is triggered
• The function runs when a publish_phone event is triggered
• The function runs when a publish_post event is triggered
• The function runs when a xmlrpc_publish_post event is triggered
• “ID” and “Name” come from the database via get_post

Is it possible that Sucuri sents these “Post Update” warnings when someone *tries* to update a post but actually fails to do so?

No, according to the code, the actions mentioned above can be executed from anywhere in the code (from a plugin, theme, or even a small script), however, the action simply passes the ID of the post to the Sucuri plugin, then the plugin searches the post in the database, and uses this data to write the message for the email alert.

It may be worth checking the access logs of your website to see what requests match the IP address reported in the email. It is possible that you can find more information there to explain how the attacker was able to trigger the email alert, even though —as you said— the post appears untouched in the database.