[Solved] Invalid Login

[Krydos]

If your account was affected please delete everything in public_html and restore from a backup that is known to be good, or better yet start over without using wordpress at all.

[dream11]

has the culprit been identified already? 

 

we know its not a plugin

we all were up to date on wp
we all got the cpanel pass compromised too

i dont want start over from zero if i can't identify the culprit, a server issue? two 0 day that allowed first to access to wp then scalate to the cpanel?

[wolstech]

It looks like the actual hack was a single user. Krydos reported that he believes one account was compromised then used to find and infect the other installations.

 

We don't know exactly how it happened though and there's not much to look at. The files the attacker left behind are obfuscated malware, and we know the motive (the leafmailer on several accounts combined with a few logs show that the attacker needed to send phishing email).

 

The issue with AnonymusFox hacks seems to be running rampant across the internet...WP denies it go figure. We're not the only ones getting hit by it: https://core.trac.wordpress.org/ticket/44554

[dream11]

i fail to understand how a compromissed wp account can be "extended" to other wp accounts,

might be related to a softaculous  issue? i did use it to install wp, and i remember over softaculous its possible to access to wp-admin in a single click,

 

dont know if there might be any correlation, same server... and lot of updated wp accounts... they all must have something in common

Edited July 22, 2018 by dream11

[wolstech]

More than likely WP itself has a bug in it. The other accounts get exploited the same way the first one did.

 

It's relatively easy to scrape a DNS namespace for domains, so more than likely the hacker is trying to do something like the following:

1. Compromise a single WP install using an unknown security hole and upload scraper script to account.
2. Run scraper to find other domains on the same IP that have WP installed.
3. Compromise found WP installs using same unknown exploit used in step 1.
4. Upload malware to compromised installs and use malware to send phishing emails. Note that the malware may not be used all at once. They may send mail from a few at a time over the course of days or even weeks as accounts get suspended.
5. Wait for targets to respond to phishing emails.
6. Use phished credentials to make money (clean out a paypal or bank account, sell the accounts on the underground, etc.)

The first 3 steps can be done in an hour or two, fully automatically. Step 4 is done over time intentionally (maybe automatically, maybe not). Step 5 is the only one they have no control over, and Step 6 is usually done quickly upon receiving phished data from Step 5 so the data doesn't go stale.

 

We're not the only ones experiencing AnonymousFox. WP is so far denying it's an issue on their end, but other users and servers are seeing this exact hack as well, and not all of them are running cPanel. Considering its past, more than likely WP is the ones to blame. This attack only affects users running WordPress. If it were cPanel, we would be seeing accounts hit regardless of the software installed on them.

[dream11]

but, does that explain the fact they were able to change cpanel passwords?

if they can compromise any clean wp up to date, then looks like makes no sense restoring any backup or just make a site again on wp until someone identify the actual bug,

Edited July 22, 2018 by dream11

[dream11]

i just found cpanel also accepts 2FA,

i know that would not had helped a lot if someone success to install a php shell over a wordpress bug,
but enabling it, would had helped to avoid a cpanel password change? or even access to other website in the same host? like they did, since i found the leafmailer also inside a second website i have in my account, and its not made with wordpress,

just wondering if the way they used to change the cpanel password might had been done in such way a 2FA would had made no difference,
 

[wolstech]

A user inherently has rights to all files in its home folder as well as the right to change its own password. Scripts execute under the context of the user account that owns them, so by nature, any script within an account has the right to place files anywhere on the account (permissions allowing) or to change the password of the account running it.

 

If the script is running as the user, changing the cpanel password is as simple as executing the passwd command. A cpanel password is actually just the password of the Linux user behind the account. Changing it could be done using nearly any programming language we support, or even by creating a cron job (which is just a file in your home folder).

 

Putting the leafmailer in another site is a matter of just saving it in a different folder.

[dream11]

i downloaded the ofuscated  shell file and avira started to scream,

its not possible to install some antivirus in the server so php file shells can't be hosted ? that might help ?

[eeze]

My wordpress install on Tommy was also compromised by "AnonymousFox". I am going to start with nuking my installation. I was tipped off by google webmaster reporting a new owner has been verified. What is the likelihood that the server is compromised on a system level?

 

All of my passwords are unique so my email wasn't compromised in the process.

Edited July 22, 2018 by eeze

[dream11]

any of the people hacked had the default /wp-admin  or login.php  changed so they can't be accessed ?
or you all like me had the default URL setting to login access

wondering if this bug also affects on wordpress installs that had this feature ofuscated for better security

Edited July 26, 2018 by dream11

[wolstech]

Mine was hacked, and it had a plugin that replaced the login system (it was a minecraft site, it uses a minecraft account to sign in...). The files were not renamed, but the users table he edited wasn't even being used except for options. The actual authentication was done against a server run by Mojang (er, Microsoft now), not the password field in the database.

[dream11]

Mine was hacked, and it had a plugin that replaced the login system (it was a minecraft site, it uses a minecraft account to sign in...). The files were not renamed, but the users table he edited wasn't even being used except for options. The actual authentication was done against a server run by Mojang (er, Microsoft now), not the password field in the database.

so in your case the login details where in a third party server,

 

but does that means in your case the login url was still    xxx.com/wp-login.php  ?

 

maybe access to the login URL is a must for the bug to take efect, even if the way the manage to join is bypasses ese real login data

[Krydos]

I wouldn't risk it personally. Having wordpress installed on your account is just a time bomb. Eventually it will be hacked, and it will be a mess.