A pdf of theirs opened OK. I get the same message in Internet Explorer and Edge. That is messed up and embarrassing.
Embarassing to whom ? You do realize that the MRG-Effitas website probably resides on a web server that is not owned nor operated by MRG Effitas - right ?
Hi All, I just found this thread, so let me give a quick summary of what happened. The hack started on a Saturday afternoon. When I woke up on Sunday I got notified about this as soon as I woke up and I restored the site before breakfast. The way we were hacked is a nice cautionary tale, so I would like to share with all of you. The story begins with an old vulnerable Wordpress plugin. Although this plugin was updated many times on the global Wordpress site, our Wordpress install never notified us that there is a newer version of this plugin. What is even worse is that we had 2 security plugins which alerts whenever they find old, abandoned or vulnerable plugins. None of these security plugins alerted during the ~3 year period while the vulnerable plugin was installed. We had one plugin based Web Application Firewall which was turned off because it blocked image/PDF upload to the site. We had Cloudflare WAF turned on while the hack was ongoing, Wordpress specific rules were enabled. Cloudflare did not detect or block anything. Following is a step-by-step description about the hack: 1. The hacker finds the known vulnerability in the plugin and exploits it, without triggering any block in Cloudflare WAF 2. Hacker is able to download wp-config.php, with MySQL passwords in it. From this point, every step is legitimate access, so WAF would be no use from here. 3. Previously, phpmyadmin was not available on https://www.mrg-effitas.com/phpmyadmin/ . Our hosting provider made this available to everyone without letting us know. Hacker logs into phpmyadmin. Note to self: I still have to do something about this. 4. This step is still a mystery, but either the hacker changed the hashed password of an admin to a password known to the hacker, or the hacker resetted one admin password and was able to access the secret for the password reset link. 5. Hacker logs into Wordpress with admin privileges. 6. Hacker uploads a malicious theme which gives him PHP shell access. 7. Hacker uploads multiple backdoors to maintain access, hacker defaces index.php We improved our security ever since, but if multiple plugins lie to us about the security state, we are losing the battle ...
You are late to reply! (just kidding ) , i'm glad you gave us the full story. Once more it shows that attackers are keen to find unpatched vulnerabilities.
