wolstech Posted July 21, 2018 Posted July 21, 2018 Just nuke everything inside of public_html (don't delete the folder itself) at this point. Odds are there's a backdoor installed somewhere. Also, if you don't have time to fix this now, I can suspend you if you'd like, until you are ready to fix it.
dream11 Posted July 21, 2018 Posted July 21, 2018 what you mean with nuke? delete all content from public_html?i end up changin the nameservers to avoid access from the URL but it might take some time to update...need to know what was the bug, i mean, maybe a plugin we all have in common? started to deactivate most plugins i have, how to know the compromised plugin if its that the problem? might be a wordpress zero day? i am so puzzled
usr8481 Posted July 21, 2018 Posted July 21, 2018 (edited) why you don't have a backup? you should not live like this:) try to backup things Edited July 21, 2018 by usr8481
wolstech Posted July 21, 2018 Posted July 21, 2018 Yes, by nuke I mean delete. WP generally can't be cleaned once compromised anyway since the attackers often drop backdoors, shells, etc. once they get in, which they can use after the initial hole is fixed. We recommend just deleting it and reinstalling (and better yet, finding other software while you're at it). There's tons of other CMSes out there, and most of those don't have nearly as many issues as WP.
usr8481 Posted July 21, 2018 Posted July 21, 2018 (edited) p.s. here's Last Login ip from my cpanelit's not mine, mb it's ip heliohost administratorsor mb it's hacker's ip and should be banned 65.19.143.5 Edited July 21, 2018 by usr8481
dream11 Posted July 21, 2018 Posted July 21, 2018 (edited) how can they change the Cpanel password with a wordpress bug?is that possible? Edited July 21, 2018 by dream11
wolstech Posted July 21, 2018 Posted July 21, 2018 (edited) I honestly don't know how they do that either. My only thought was if you used the same password for WP and cPanel. Compromised WP is easy to get a password hash out of, and rainbow tables can usually crack hashes quite quickly these days. The thing I've noticed is that its very consistent. All affected accounts so far (yours, danval, usr8481, and metals from the other topic) are:On TommyRunning WordPressHave had their cPanel password changed by the hackerHave had their WP hackedThe username in WP on at least 2 of them has changed to "AnonymousFox" suggesting it's a single hacker doing this. The cPanel passwords changing and the fact the accounts all share a server is what worries me. I'll have Krydos look at this one too. EDIT: Make it 3 for AnonymousFox. The metals account also has that username in WP... Edited July 21, 2018 by wolstech
danval Posted July 21, 2018 Posted July 21, 2018 Wordpress is well known for severe security issues and is laughably easy to compromise Yes, this CMS is a headache. I had Wordpress up to date, and they still managed to attack it with success. If you don't have a backup, the best option is:Do a fresh install. Install the Wordfence plugin. It's free and can help you in this cases. Up to date regularly: plugins, themes and core. Do regularly backups.This is the best option to fight against attacks, although they will continue to happen. And some of them with success Anyway, this surely it is due to a hole in Wordpress, but how have they managed to change the cPanel password? This is the most frustrating thing I that I found so far...
wolstech Posted July 21, 2018 Posted July 21, 2018 Just checked another account and that one's also AnonymousFox'd...on two different WP installs. There's something in common with the WP installations here that's causing this. Either it's WP itself, or you're all using the same compromised plugin (which I doubt).
dream11 Posted July 21, 2018 Posted July 21, 2018 my cpanel pass was not the same used on wordpress admin,
dream11 Posted July 21, 2018 Posted July 21, 2018 mines are those, but not all are enabled anyway, just installedand as far as i see, we dont share a single one right now
danval Posted July 21, 2018 Posted July 21, 2018 (edited) I'll have Krydos look at this one too. Thank you Wolstech. Have had their cPanel password changed by the hacker. This is the most strange thing. I can tell you that my password was very strong (mixed letters an numbers, and not a common word). So a reverse hash could be imposible. It would be interesting to determine if those affected are only those who have a Wordpress installed. I notice the problem yesterday (Friday 20th at 14:53PM CEST) because Wordfence mailed me about an unexpected administrator login. Other account that was compromised was raqbul (belongs to a member of my family) at the same time. Edited July 21, 2018 by danval
danval Posted July 21, 2018 Posted July 21, 2018 Just checked another account and that one's also AnonymousFox'd...on two different WP installs. There's something in common with the WP installations here that's causing this. Either it's WP itself, or you're all using the same compromised plugin (which I doubt). Maybe a 0-day attack? I update Wordpress to 4.9.7 on 5th July.
wolstech Posted July 21, 2018 Posted July 21, 2018 I just found out my own account was compromised too. I had a WP site for Minecraft that was set up in 2014 but up to date as of 7/5...my cP password was changed like everyone else too. I suspect there's either a major hole in WP, or possibly cPanel itself considering account passwords are changing. It's only affecting WP users on Tommy for some reason. That DDoS on Johnny seems to actually be a blessing in disguise as I would not want to deal with several thousand hacked WP sites...and most WP users are on Johnny here.
Recommended Posts