After a more thorough analysis, I believe that I have now a clear image of what happened to Roumazeilles.net.
It appears that a hacker introduced itself into our web site through an insecure WordPress plugin. The security defect has been corrected relatively quickly, but it left a wide open gap during a few days. The hacker was able to
- create several privileged access points into the web site (administrator accounts).
- modify posts and pages to add a script susceptible to bring a malware infection (that I could not more precisely identify).
- modify the web site to point back to another infected web site.
- modify the web site to create himself an additional backdoor entry point.
this most probably happened during the Friday November 9th night (or very early on Saturday November 10th). It hit four of my web sites in a row (on four other sites I caught the infection before it could become extensive or dangerous for the users/visitors).
The corrections I implemented allow me to assure that the incident is now (Sunday November 11th at noon) closed for all four infected web sites.
The consequences for you, the visitors:
- it is possible (though quite unprobable) that some personal data have been taken, but it was not a clear objective of the hacker.
- all users with an account on the web site have been informed, their passwords force-modified to a safer value (it appears nobody had really fragile or re-used password – my advice: never re-use one web site password on another web site).
- during a few tens of hours, Roumazeilles.net was used to propagate one or more malwares to visitors of our pages and posts. My advice: Immediately check your computer with a good anti-virus.
I hope (and I believe) that this is all.
Technical details on this specific attack (we were not alone in the list of victimized web sites).