Exposed Hacker Server Reveals Mass WordPress Backdoor Campaign
A misconfigured server exposed a cybercriminal operation targeting over 1.4 million WordPress sites. Researchers gained rare insight into the tools and methods used for large-scale website compromises.
TL;DR
- Cybercrime group accidentally left server exposed for 3 weeks
- Over 1.4 million WordPress sites identified as potential targets
- Operation used WP-SHELLSTORM backdoor to compromise websites
- Exposed files revealed hacking tools, logs, and target lists
- Fewer sites were actually breached than initially targeted
A cybercriminal operation has been inadvertently exposed after leaving one of its command servers publicly accessible for three weeks. The exposed infrastructure provided security researchers with unprecedented access to the group's tools, logs, and target lists, revealing a large-scale campaign against WordPress websites.
The operation, now being tracked as WP-SHELLSTORM, had compiled a list of over 1.4 million potentially vulnerable WordPress sites. While the actual number of compromised websites was significantly lower, the incident provides valuable intelligence about how such mass-compromise operations function behind the scenes.
Campaign Scale and Exposure
- Target list contained over 1.4 million WordPress websites
- Server remained exposed for 3 weeks before discovery
- Actual breach count likely much lower than target list size
- Exposure included active backdoors and attack logs
Technical Insights
- Operation used WP-SHELLSTORM backdoor for persistent access
- Exposed files included custom hacking tools and scripts
- Researchers observed real-time attack monitoring capabilities
- Infrastructure exposure revealed command and control mechanisms
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.