wolstech

Time to learn I think. Joomla will be the easier of the two to learn, and honestly, once you're used to it, you'll probably end up preferring it. It's just so much better built than WP, and is arguably what WP should have been. I used WP myself initially, then played with joomla, which I use for a few sites I host elsewhere, and found it to be a better product. It's usually my first choice when building a site for someone these days. I still have a single WP install laying around, which got hacked, and I'm tempted to not bother fixing it. I eventually wrote my own site myself (custom CMS) and have yet to have an issue with that. Programming experience is obviously needed for that method though.

Do you run Wordpress? Many WP installs on Tommy were compromised on Friday, and the hacker did change cpanel passwords as part of the hack using the malware he uploaded. Start by resetting your password here: https://tommy.heliohost.org:2083/resetpass?start=1 After that, check for random number files in your Wordpress installations created on Friday (they'll be in WP-admin and WP-content), and for a user account named AnonymousFox in the user's table of the database. If any exists, delete the ENTIRE Wordpress installation and reinstall.

I'm betting he scraped DNS and searched for other domains running WP with the same IP. I can't think of any way he'd be able to browse across accounts locally. One user won't have access to another's home folder.

Something in your Wordpress installation had a security hole that got abused to hack your account. Either you failed to keep it up to date, or you had bad luck and used a plug-in that has a hole. We recommend that people not use Wordpress for this exact reason. It is far too easy to compromise and causes a big mess when it does get compromised.

A user inherently has rights to all files in its home folder as well as the right to change its own password. Scripts execute under the context of the user account that owns them, so by nature, any script within an account has the right to place files anywhere on the account (permissions allowing) or to change the password of the account running it. If the script is running as the user, changing the cpanel password is as simple as executing the passwd command. A cpanel password is actually just the password of the Linux user behind the account. Changing it could be done using nearly any programming language we support, or even by creating a cron job (which is just a file in your home folder). Putting the leafmailer in another site is a matter of just saving it in a different folder.

More than likely WP itself has a bug in it. The other accounts get exploited the same way the first one did. It's relatively easy to scrape a DNS namespace for domains, so more than likely the hacker is trying to do something like the following: Compromise a single WP install using an unknown security hole and upload scraper script to account. Run scraper to find other domains on the same IP that have WP installed. Compromise found WP installs using same unknown exploit used in step 1. Upload malware to compromised installs and use malware to send phishing emails. Note that the malware may not be used all at once. They may send mail from a few at a time over the course of days or even weeks as accounts get suspended. Wait for targets to respond to phishing emails. Use phished credentials to make money (clean out a paypal or bank account, sell the accounts on the underground, etc.)The first 3 steps can be done in an hour or two, fully automatically. Step 4 is done over time intentionally (maybe automatically, maybe not). Step 5 is the only one they have no control over, and Step 6 is usually done quickly upon receiving phished data from Step 5 so the data doesn't go stale. We're not the only ones experiencing AnonymousFox. WP is so far denying it's an issue on their end, but other users and servers are seeing this exact hack as well, and not all of them are running cPanel. Considering its past, more than likely WP is the ones to blame. This attack only affects users running WordPress. If it were cPanel, we would be seeing accounts hit regardless of the software installed on them.

Did you change the port number? SFTP's port is different on Tommy. Also, try plain unencrypted ftp on port 21 too.

It looks like the actual hack was a single user. Krydos reported that he believes one account was compromised then used to find and infect the other installations. We don't know exactly how it happened though and there's not much to look at. The files the attacker left behind are obfuscated malware, and we know the motive (the leafmailer on several accounts combined with a few logs show that the attacker needed to send phishing email). The issue with AnonymusFox hacks seems to be running rampant across the internet...WP denies it go figure. We're not the only ones getting hit by it: https://core.trac.wordpress.org/ticket/44554

Applications that include their own server (like yours) are not supported. You need to remove the built in server, repack as a war that can be served through tomcat on 80 or 443, request tomcat, wait in line, and once active deploy the war.

Any chance they were running WordPress? Numerous WP sites on Tommy got hacked yesterday and we don’t know how: https://www.helionet.org/index/topic/33552-numerous-hacked-accounts-w-wp-on-tommy/

Probably all of it since you were offering TV. You should look for public domain or other content with free redistribution rights. Some content from PBS used to fall in this category but I’m not sure if it still does (though it’s likely to be cheap compared to most if you it’s not free and you wanted to license it).

Wordpress has a major security issue right now, see this topic : https://www.helionet.org/index/topic/33552-numerous-hacked-accounts-w-wp-on-tommy/?view=getnewpost

If you want to build a site that does not offer such content you’re welcome to create a new account.

Rebuild your site. I’d suggest finding another program but if you use wordpress again make sure everything is up-to-date when you install it.

I added deny from all to your htaccess and unsuspended you so you can delete the WP installation.

Didn't get suspended, but my minecraft site did go down and was full of malware...I reset my password, deleted the malware, and tossed a deny from all in .htaccess for now since I have to go to work...http://acmine.tk/ (403 error is intentional until I have time to fix it properly by restoring a backup).

So, I'm seeing a lot of this today. WordPress installs on Tommy are getting hacked left and right. I even got mine hacked when it was fully up to date with no plugins beyond a port checker. Even weirder is that the cPanel password of a compromised account is being changed too. Mine changed, and I know it was not the same password as WP was. The things I've noticed is that its very consistent. All affected accounts so far (rax2, z9xdream, danval, usr8481, metals) are: On TommyRunning WordPressHave had their cPanel password changed by the hackerHave had their WP hacked and a backdoor/shell installed.Username in WP is changed to "AnonymousFox" I described the visible effects of a hacked WP here (as seen on my own account): https://www.helionet.org/index/topic/33543-suspended/?do=findComment&comment=150433 Any ideas on this?

I just found out my own account was compromised too. I had a WP site for Minecraft that was set up in 2014 but up to date as of 7/5...my cP password was changed like everyone else too. I suspect there's either a major hole in WP, or possibly cPanel itself considering account passwords are changing. It's only affecting WP users on Tommy for some reason. That DDoS on Johnny seems to actually be a blessing in disguise as I would not want to deal with several thousand hacked WP sites...and most WP users are on Johnny here.

Nice...decided to check mine...my old WP for a Minecraft server on Tommy is compromised too. And my CP password was changed like everyone else. He uploaded a backdoor too. A file called 4830068200.php in the wp-admin folder...also an htaccess file and a php.ini file (which does nothing on our servers). There was another random number file in wp-content as well as another htaccess and php.ini. The index.php has code to inject the backdoor added right at the top too. And of course I found a leafmailer.php...

You can't due to the suspension right now. I'm going to leave it that way since there's a massive outbreak of this AnonymousFox issue, WordPress seems to have a major security problem at the moment.

Just checked another account and that one's also AnonymousFox'd...on two different WP installs. There's something in common with the WP installations here that's causing this. Either it's WP itself, or you're all using the same compromised plugin (which I doubt).

You can look in the user table of WordPress's database for the username and email address. You should be able to change the username and email address to yours, then reset the password for WP. If I had to guess though, I suspect you'll find the username is going to be "AnonymousFox" since that's what 2 others have reported it being... EDIT: It's AnonymousFox...same as the other hacked accounts. Found in the wp8v_users table...

I honestly don't know how they do that either. My only thought was if you used the same password for WP and cPanel. Compromised WP is easy to get a password hash out of, and rainbow tables can usually crack hashes quite quickly these days. The thing I've noticed is that its very consistent. All affected accounts so far (yours, danval, usr8481, and metals from the other topic) are: On TommyRunning WordPressHave had their cPanel password changed by the hackerHave had their WP hackedThe username in WP on at least 2 of them has changed to "AnonymousFox" suggesting it's a single hacker doing this. The cPanel passwords changing and the fact the accounts all share a server is what worries me. I'll have Krydos look at this one too. EDIT: Make it 3 for AnonymousFox. The metals account also has that username in WP...

Yes, by nuke I mean delete. WP generally can't be cleaned once compromised anyway since the attackers often drop backdoors, shells, etc. once they get in, which they can use after the initial hole is fixed. We recommend just deleting it and reinstalling (and better yet, finding other software while you're at it). There's tons of other CMSes out there, and most of those don't have nearly as many issues as WP.

A whole bunch of accounts with WordPress on them got hacked yesterday. They're getting in through WP, then comprise cpanel from there (if I had to guess, people use the same password for cpanel as for the compromised Wordpress install, so they just guess) and change the password. These guys have the same issue with hacked WP and their cpanel password not working following the hack: https://www.helionet.org/index/topic/33536-invalid-login/ So far, there are no reports of non-WP accounts being compromised, so it seems to be the typical WordPress security issues to blame here.