I am inline with @xMudrii. Great minds ***… hehe
I am not here to analyze or make any presumptions as to why u were live for two days before getting hit. To me that’s a very obscure target to find taken at face value, as well as a senseless act. but that’s how some “skidz” are. They pick an easy target to show off their ‘sick scripting skillz’. lol.
Back to the facts and see what we can figure out. As previously stated: block ICMP (Ping) via your selected FW’s rules, i would include the same for 'un-solicited’ UDP packets, another common exploit. There are numerus attacks that utilize the TCP/IP standard so those rules are a bit harder to compile and write (if even possible) outside of a dedicated IDS/IPS systems. There are just too many list and many make use of some very fine loopholes in their respective standards. That being said, as any good sysadmin would do is keep an eye on your ports. You can reference the official DB record for a full list of ports #’s, assigned protocol and desc at the bible of all things Internet;
Onward… Cloudflare, as well a some other notables with DDoS Prevention IMO are Scuri and Incapsula, there are others of course, but these have some good “street cred” and historically have shown to know the business; aka keeping their clients safe.
I also see that you have chosen a WP theme, yes? You are aware of their troubles over the last couple of years? Once all the Cyber Sec Teams, Threat Intells, Malware Analysts, etc. had got finished with their RE and started to submit their blogs and oficial write-ups there was some misalignment as to the true nature of these horrific maiicious hybrids, most commonly referred tofg as the WP SEO attacks. these problems stemmed from a exploit in a common XMLlib. Here’s come basic info from Scuri, this isn’t a $perClick I promise. He was responsible for the dev of a successful patch that cleaned up areound 450k sites. Nice ! Just as this attack spread throughout many other major sites; another super-sploit was just about to be discovered, just as maicious, cloning itself into millions of sites and kept cross-infecting until it had a command of a majority of Google’s esteemed images db, tumblr, flickr, Pintesrest, and just about every site that had images within their hmtl tags. I have uncovered some residual exploits regarding the remnants of tens of thousands of images still online. And from search results I cannot tell what images are just a dromant vuln or if they are still weaponized. So forgive my vagueness on this exploit for you to look into. WP themes, and with could be several hundred others; lye a common denomonator. PHP functionality. It is very effective to run any CMS server, as well as hosting a site with any amount of graphics. It’s very simple to automate resizing, or do any type of image manipulation. But if you trim down and simplify the whole idea of hacking ? It’s the ability to manipulate the code to have it perform as you intend to use it. PHP happens to be one of the most versatile and dangerous. Lets just say that:
[!] it’s ability to perfom complex image maipulation at such a low level, proved very resourceful.
[!!] It had flawless pages served with incredible browser autonomy. This wasn’t always the case with
[!!!] Biggest caveat; php scripts can easily hide manipulate images, to be able to bury malicious php code within the php images. This (if performed correctly) essentially leaves you with an executable image. Forget clicking on it, once in the file “correctly”, it will fire everytime the image is “processed”, capable of whatever the master chef has inteded for it to accomplish. On the Server, anytime an admin remotely accesses his site or gallery, every clint that loads the page. Silent, permanent and undecernable by the Calculus3 capabilties of C lang and it’s Steroidal little brother; MATALB. AV’s no because it does nto contain a recognized “pattern”. API sanitzers and even php and it’s helper libs will process the images and pass it as a true RGB image file.
Moving on now… last things to check that you can quickly rule out or mark as suspicious is if you find a very common fiel called timthumb.php. This doesn’t mean that it is your smoking gun, but it has been a common tread in the past for taking out 20k+ websites. I don’t know that it’s critical to the themes functionality, or that you have a tainted version. I would consult with WP or PHP for further guidance from there.
Lastly. WATCH the vulnerabilty reports. I will provide two of my favorites; there are others but these are updated in real time, as they are discovered and get confirmed by the Vendor. They contain everything and anyting. Subject, type, software, hardware. CVE info, patch infos (if available). Just add it to your weekly browsing habit. If you decide to search for others? just a word of caution; about 90% of the search results will be spam or maicios themselves. Some of the bigges Sec Teams wil have a threat blog but the aren’t updated like these. If it’s issue, it wil be below…
Packetstormsecurity. Scroll down a ways and on the right you can search by ##
You will be much more informed and even may have a step ahead of any future overly abitious hackers that get a kick out a 500 ERROR page. hmmm.
....IDK sometimes, silly hackers. My apologies for the tl:dr but sometimes the answer isn’t simple, and no cookie-cutter explanation fit here. GL & Cheers.