I upgraded my instance, removed the fake user the attacker created, and rotate my admin API keys.
However, a week later the instance was compromised again and it appears that the “zapier” integration (that I never even activated) API key was used to deface all of my historical posts and inject malware again.
I don’t see any obvious way to rotate all of the API keys for default integrations; what are my options?
Here’s what I did to clean up as much as I could find from mysql:
delete from sessions; // wipe out sessions for previously created malicious users
delete from api_keys where user_id IS NULL; // wipe out all default integration api keys
delete from tokens;
select id from settings where ‘key’ = “mailgun_api_key”;
update settings set value = “REDACTED” where id = MAILGUN_API_KEY_ID;
update posts set codeinjection_foot = NULL; // remove malicious code injections
Upon further review, it looks like there are several other internal service keys such as the Ghost Internal Frontend, Ghost Backup, and Ghost Scheduler keys that need to be regenerated, but I don’t see a way to do so in the UI…
My front end signup form is currently broken because of the missing Frontend key.
I don’t know if there is one. Hopefully someone from Ghost will weigh in.
You might also consider doing a content export, members export, and then loading that into a fresh ghost install, along with copying over /content and the theme files. That’s lossy (you’d lose member analytics and comments), but would get your ghost into a state with fresh keys.
insert into api_keys set id=RANDOM_24_BYTE_HEX,type =“content”,secret=“RANDOM_64_BYTE_HEX”,integration_id=(select id from integrations where name =“Ghost Internal Frontend”),created_at=NOW();
My site got hit too, via the Zapier integration. Have upgraded to v6, but wondering if Ghost should add some sort of CLI command that could regenerate all the internal keys that could have been compromised.
A CLI command to rotate all API keys and other credentials that could have been compromised would be quite helpful. It’s incredibly onerous to have to manually sift through the database and code to try to find all of the sensitive data.