Surely this is not a Hetzner-only hack event? Why were other ISP's not invited? The examples given are all very similar:
Those IP's are all in one subnet at Hetzner.
In a case like this the hacker does not jump from point A to B on different networks, that would slow him down and is inefficient. He works from a list. The list can be domain names or IP address.
Where is it, is incidental. The aim was to quickly find targets and plant links as efficiently as possible. This is a matter of how these guys operate, hacking101. Based upon what we are seeing here, this is probably how the attack occurred:
Information gathering
- Get a network range and resolve to host names - many tools/methods out there to accomplish this
- Scan hosts - to identify what is running, looking for pre-selected clues
- Filter potential targets - WordPress and Joomla! in this case. Probably a version filter as well ...
Then attempt a hack on the selected targets. Trivially easy. Much of this was probably scripted with the hacker doing something else.
On an aside, my 5c on WordPress: WordPress took a lot of flack for being easily hackable while it is really a certain library used called
TimThumb. It's best to avoid this library. To further improve the situation, newer WordPress version now allow for
automatic updates. Just make sure you have regular backups.
Sadly, just like cars and electronics, software also does not last forever and needs constant TLC, especially out there on the web