Jump to content

[Solved] Invalid Login

hdkw1996

By hdkw1996
in Escalated Requests

 Share

Recommended Posts

wolstech Grand Master

wolstech

Posted
Posted

Just nuke everything inside of public_html (don't delete the folder itself) at this point. Odds are there's a backdoor installed somewhere.

 

Also, if you don't have time to fix this now, I can suspend you if you'd like, until you are ready to fix it.

Link to comment
Share on other sites
  • Replies 43
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

wolstech
wolstech

Mine was hacked, and it had a plugin that replaced the login system (it was a minecraft site, it uses a minecraft account to sign in...). The files were not renamed, but the users table he edited wasn

dream11 Newbie

dream11

Posted
Posted

what you mean with nuke? delete all content from public_html?

i end up changin the nameservers to avoid access from the URL but it might take some time to update...

need to know what was the bug, i mean, maybe a plugin we all have in common?  started to deactivate most plugins i have, how to know the compromised plugin if its that the problem? might be a wordpress zero day? i am so puzzled 

Link to comment
Share on other sites
wolstech Grand Master

wolstech

Posted
Posted

Yes, by nuke I mean delete. WP generally can't be cleaned once compromised anyway since the attackers often drop backdoors, shells, etc. once they get in, which they can use after the initial hole is fixed.

 

We recommend just deleting it and reinstalling (and better yet, finding other software while you're at it). There's tons of other CMSes out there, and most of those don't have nearly as many issues as WP.

Link to comment
Share on other sites
wolstech Grand Master

wolstech

Posted
Posted (edited)

I honestly don't know how they do that either. My only thought was if you used the same password for WP and cPanel. Compromised WP is easy to get a password hash out of, and rainbow tables can usually crack hashes quite quickly these days.

 

The thing I've noticed is that its very consistent. All affected accounts so far (yours, danval, usr8481, and metals from the other topic) are:

  • On Tommy
  • Running WordPress
  • Have had their cPanel password changed by the hacker
  • Have had their WP hacked
  • The username in WP on at least 2 of them has changed to "AnonymousFox" suggesting it's a single hacker doing this.

 

The cPanel passwords changing and the fact the accounts all share a server is what worries me. I'll have Krydos look at this one too.

 

EDIT: Make it 3 for AnonymousFox. The metals account also has that username in WP...

Edited by wolstech
Link to comment
Share on other sites
danval Newbie

danval

Posted
Posted

Wordpress is well known for severe security issues and is laughably easy to compromise

 

Yes, this CMS is a headache. I had Wordpress up to date, and they still managed to attack it with success.

 

If you don't have a backup, the best option is:

  1. Do a fresh install.
  2. Install the Wordfence plugin. It's free and can help you in this cases.
  3. Up to date regularly: plugins, themes and core.
  4. Do regularly backups.

This is the best option to fight against attacks, although they will continue to happen. And some of them with success :(

 

Anyway, this surely it is due to a hole in Wordpress, but how have they managed to change the cPanel password? This is the most frustrating thing I that I found so far...

Link to comment
Share on other sites
wolstech Grand Master

wolstech

Posted
Posted

Just checked another account and that one's also AnonymousFox'd...on two different WP installs.

 

There's something in common with the WP installations here that's causing this. Either it's WP itself, or you're all using the same compromised plugin (which I doubt).

Link to comment
Share on other sites
danval Newbie

danval

Posted
Posted (edited)

I'll have Krydos look at this one too.

 

Thank you Wolstech.

 

Have had their cPanel password changed by the hacker.

 

This is the most strange thing. I can tell you that my password was very strong (mixed letters an numbers, and not a common word). So a reverse hash could be imposible.

 

It would be interesting to determine if those affected are only those who have a Wordpress installed.

 

I notice the problem yesterday (Friday 20th at 14:53PM CEST) because Wordfence mailed me about an unexpected administrator login.

 

Other account that was compromised was raqbul (belongs to a member of my family) at the same time.

Edited by danval
Link to comment
Share on other sites
danval Newbie

danval

Posted
Posted

Just checked another account and that one's also AnonymousFox'd...on two different WP installs.

 

There's something in common with the WP installations here that's causing this. Either it's WP itself, or you're all using the same compromised plugin (which I doubt).

 

Maybe a 0-day attack? I update Wordpress to 4.9.7 on 5th July.

Link to comment
Share on other sites
wolstech Grand Master

wolstech

Posted
Posted

I just found out my own account was compromised too. I had a WP site for Minecraft that was set up in 2014 but up to date as of 7/5...my cP password was changed like everyone else too.

 

I suspect there's either a major hole in WP, or possibly cPanel itself considering account passwords are changing. It's only affecting WP users on Tommy for some reason. That DDoS on Johnny seems to actually be a blessing in disguise as I would not want to deal with several thousand hacked WP sites...and most WP users are on Johnny here.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...