Here at Clydewire, we are constantly monitoring bot/DDOS/brute force attacks not only at the Server level but also at the website level too.

Why?

Recently, a client had their website breached by a bot/person that added a zip file into the media library. As soon as it was installed 6 infected files were integrated into the filesystem via the theme trying to access the customer data primarily login credentials.

How?

From our investigation, it was duly noted that it was an administrator login that had been gained access illegally. I then checked the following site for any data breaches:

https://haveibeenpwned.com/ which showed me that the email address used for the administrator login had appeared in 5 data breaches.

Using the following link https://1password.com/haveibeenpwned/ohno/ gives you the following response: Oh no! Looks like your passwords have been compromised.

I also checked the IP address shown in the access.log file on the following site:  https://www.abuseipdb.com/check/31.3.152.100. This information shown tells you where it originated from and what type of category actions were used.

Resolution

Update your password immediately. Make it long, contain numbers, letters (upper & lower) and with at least 1 special character. If you use Google chrome this has a password manager and if you right-click there is an option 'suggest strong password'. Alternatively, find a password generator site anytime you want to change passwords.

Paul

Service Support Consultant