kmaofny.com — Remediation Plan
Created: 2026-04-22 Owner: Grain & Mortar (Eric Downs) Target completion: Phases 1 + 2 today or by tomorrow morning. Phases 3 + 4 this week.
Companion to INCIDENT-REPORT.md. This plan is the execution checklist.
Phase 1 — Stop the Bleeding (~30 min)
Lock the attacker out immediately. All actions reversible, all evidence preserved.
| # | Task | Tool | Verification |
|---|---|---|---|
| 1.0 | Take full DB + uploads snapshot as rollback baseline | ssh + tar + wp db export |
Tarball saved to forensic-workspace/prod-snapshot-20260422.tar.gz |
| 1.1 | Revoke the bot-token REST API application password |
wp user meta delete 7 _application_passwords |
meta row gone; wp user application-password list 7 returns empty |
| 1.2 | Demote bot (ID 7) from administrator → subscriber |
wp user set-role 7 subscriber |
wp user list --role=administrator no longer includes bot |
| 1.3 | Demote admlnlx (ID 8) from administrator → subscriber |
Direct SQL (plugin filters UI) | SQL verification on wp_usermeta.wp_capabilities for user_id=8 |
| 1.4 | Rename 6 web shells in /www/ to .quarantine |
ssh + mv |
404 response when hitting /bulk.php, /forms.php, etc. |
| 1.5 | Rename simple-301-redirects/assets/css/fileview.php → .quarantine |
ssh + mv |
404 on that path |
| 1.6 | Deactivate the 3 malicious plugins | wp plugin deactivate one_images_user widget-1776587769 widget-1776587767 |
wp plugin list shows them as inactive |
| 1.7 | Generate 6 strong new passwords (one per legit admin) | wp user update --user_pass + 1Password |
New hashes in wp_users, old hashes gone |
| 1.8 | Rotate WordPress salt keys to invalidate all sessions | wp config shuffle-salts |
New values in wp-config.php, all cookies invalidated |
| 1.9 | Verify attacker is locked out | Manual: attempt login as bot and admlnlx |
Both rejected |
Done criteria for Phase 1: - No admin-privileged attacker accounts remain - No callable web shells - No active malicious plugins - All legitimate admin passwords rotated, new ones in 1Password - All existing WP sessions invalidated
Phase 2 — Full Cleanup (~2 hours)
Rebuild from known-good sources so we can trust the site again.
| # | Task | Notes |
|---|---|---|
| 2.1 | Pull full production site + DB to ~/Local Sites/kmaofny-compromised/ |
Already partially started via tar snapshot in 1.0 |
| 2.2 | Diff prod km_associates theme vs our June 2025 local clean copy |
Use diff -r; port any legit updates |
| 2.3 | Reinstall WordPress core from wp.org | wp core download --force --locale=en_US |
| 2.4 | Remove or upgrade wp-file-manager (the entry point) |
Default to remove unless Liz needs it; replace with maintained alt if so |
| 2.5 | Reinstall all plugins from official sources (wp.org + vendor portals) | Fresh copies — do not trust anything on disk |
| 2.6 | Delete the 3 malicious plugin folders | rm -rf one_images_user widget-* |
| 2.7 | Delete the 6 web shells + fileview.php stray |
rm on the .quarantine files after final evidence review |
| 2.8 | Delete rogue DB options | wp option delete _pre_user_id theme_dc_aluma_tools theme_aluma_times |
| 2.9 | Delete bot and admlnlx user accounts |
wp user delete 7 8 --reassign=1 |
| 2.10 | Second-pass malware scan | Wordfence free scan or MalCare trial |
| 2.11 | Test site functionality | Front-end pages load, admin login works, Gravity Forms submit, search, FacetWP filters |
Done criteria for Phase 2:
- All plugins reinstalled from verified sources
- wp-file-manager removed or patched
- All malicious artifacts purged from disk and DB
- Site renders and functions normally
- Independent second-pass scan is clean
Phase 3 — Email Reputation Recovery (this week)
Fix the AECOM delivery issue at the source.
| # | Task | Notes |
|---|---|---|
| 3.1 | Verify DKIM records exist for Microsoft 365 | Check selector1._domainkey.kmaofny.com and selector2._domainkey.kmaofny.com |
| 3.2 | Move DMARC from p=none → p=quarantine |
Via Earthlink DNS portal |
| 3.3 | Check MxToolbox blacklist status | mxtoolbox.com/SuperTool.aspx?action=blacklist |
| 3.4 | Submit removal requests for any blocklists flagging the domain | Spamhaus, Barracuda, SURBL, etc. |
| 3.5 | Write AECOM security contact with incident summary | Share sanitized INCIDENT-REPORT.md |
| 3.6 | Monitor bounces for 48-72 hours | KMA checks their sent-item bounce reports |
| 3.7 | Graduate DMARC to p=reject once stable |
Wait for 1 week of clean monitoring reports |
Done criteria for Phase 3:
- DMARC at p=quarantine minimum, on path to p=reject
- Domain off all public blocklists
- AECOM confirms mail from @kmaofny.com is flowing again
Phase 4 — Hardening (next 1-2 weeks)
Prevent recurrence on this site and audit the rest of the G&M portfolio.
| # | Task | Notes |
|---|---|---|
| 4.1 | Install Wordfence (free or premium) | WAF + malware scanner + login security |
| 4.2 | Enforce 2FA for all admin accounts | Wordfence 2FA, or dedicated plugin |
| 4.3 | Rate-limit wp-login.php |
Wordfence handles this; or iThemes Security |
| 4.4 | Restrict access to /wp-admin/ and /wp-login.php by IP |
Optional, Flywheel access control |
| 4.5 | Remove wp-file-manager permanently |
Confirmed with Liz this is not in active use |
| 4.6 | Audit other G&M-hosted sites for weak password convention | Cross-reference Masterdocs, rotate where .CLIENT<service>158! pattern is found |
| 4.7 | Deliver final incident report to Liz + schedule 30-min follow-up call | Use a sanitized copy of INCIDENT-REPORT.md |
| 4.8 | Add KMA to G&M Maintenance Portal | Monthly plugin update monitoring |
| 4.9 | Log time to Harvest | Security engagement — confirm billable status first |
Done criteria for Phase 4: - Wordfence active and scanning - 2FA enforced on all admin logins - Login page rate-limited - Weak-password audit completed across portfolio - Final report delivered, KMA added to monthly maintenance
What's NOT in scope
- Microsoft 365 compromise investigation (needs KMA's IT vendor — the
@kmaofny.comadmin email may have been logged into by the attacker using the reset password) - KMA internal network or endpoint scans
- PII/breach notification filings (if applicable — depends on whether Gravity Forms submissions contained PII, which is TBD)
Communication plan
| When | Who | What |
|---|---|---|
| Immediately | Liz (initial reply) | Draft pushed — "looking into it today, more soon" ✓ DONE |
| At Phase 1 kickoff | Liz (layman's email) | Plain-language explanation of what happened and what we're doing. 2-3 hour window. |
| End of Phase 2 | Liz | "Site is clean, here are new passwords, here's what we found" |
| End of Phase 3 | Liz + AECOM | "Email reputation restored, DMARC upgraded" |
| End of Phase 4 | Liz (final report) | Full incident report + recommendations + maintenance portal onboarding |
Living document. Update as tasks complete.