wolstech Posted July 21, 2018 Posted July 21, 2018 So, I'm seeing a lot of this today. WordPress installs on Tommy are getting hacked left and right. I even got mine hacked when it was fully up to date with no plugins beyond a port checker. Even weirder is that the cPanel password of a compromised account is being changed too. Mine changed, and I know it was not the same password as WP was. The things I've noticed is that its very consistent. All affected accounts so far (rax2, z9xdream, danval, usr8481, metals) are:On TommyRunning WordPressHave had their cPanel password changed by the hackerHave had their WP hacked and a backdoor/shell installed.Username in WP is changed to "AnonymousFox" I described the visible effects of a hacked WP here (as seen on my own account): https://www.helionet.org/index/topic/33543-suspended/?do=findComment&comment=150433 Any ideas on this?
Krydos Posted July 21, 2018 Posted July 21, 2018 It looks like metals was the first wordpress hacked externally, and then he used a scanner on that account to look for other wordpress installs. If you don't remember metals was the account that was causing massive issues on Tommy and was banished to Johnny for quite a while because of it.
yashrs Posted July 22, 2018 Posted July 22, 2018 It looks like metals was the first wordpress hacked externally, and then he used a scanner on that account to look for other wordpress installs. If you don't remember metals was the account that was causing massive issues on Tommy and was banished to Johnny for quite a while because of it.How can he scan other users files?
wolstech Posted July 22, 2018 Author Posted July 22, 2018 I'm betting he scraped DNS and searched for other domains running WP with the same IP. I can't think of any way he'd be able to browse across accounts locally. One user won't have access to another's home folder.
skully Posted July 22, 2018 Posted July 22, 2018 (edited) AnonymousFox info / screenshot I got from wordfence.... Edited July 22, 2018 by skully
eeze Posted July 22, 2018 Posted July 22, 2018 Immediately after my account was compromised, a verification HTML file was added to public_html associated to Google Search Console. The Google account user that was added as an owner was umartynukalia65@gmail.com
wolstech Posted July 23, 2018 Author Posted July 23, 2018 Looks like the compromise's purpose was not just phishing emails with that leafmailer.php, but they're setting up the actual phishing websites on them as well. I suspect a lot of our Tommy users who aren't aware of this hack are about to get Phishing bans I just banned an account that had a phishing site uploaded (Bank of America phishing). I check its databases and confirmed that it was indeed AnonymousFox'd. This guy had his account for a year. His domain is now flagged on google as Deceptive as well... /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/Validation/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/b400207e72aeab4eeffc53d317b8f5d6/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/25fd28df336fcf7ae0fd51a5881a7b91/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/dc4a49c1f699bf96baae178003c659a9/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/c9b235e46164fa42699a51a44b192fbf/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/4c9fabe8e899cf54cabeb8952e56682d/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/bdfc473696eadceec723041abd35d4ef/step6.php 1
skully Posted July 23, 2018 Posted July 23, 2018 (edited) Just found hacked config, index, and htaccess files on main cpanel separate from wordpress folder. Searched for files changed on July 20th (day of hack) and these came up (see below) I also found a perl5 folder on directory that was modified on that date? One more question... I have these listed in email accounts that I did not create...Is it being used as a spam mailer & should I delete?infoserver@skullythepirate.comsmtp@skullythepirate.com Need instructions on how to delete these and replace with valid files Edited July 23, 2018 by skully
wolstech Posted July 23, 2018 Author Posted July 23, 2018 That htaccess is normal, those two folders with the random number files and php.ini are malware and should be deleted in their entirety.
skully Posted July 23, 2018 Posted July 23, 2018 the two email addressed I listed in previous post... infoserver@skullythepirate.comsmtp@skullythepirate.com I didn't create them... can they be deleted or are they needed by email system?
wolstech Posted July 23, 2018 Author Posted July 23, 2018 Nope. Both are likely from the malware. If they aren't yours, remove them. If you check them, I'll bet they have phishing mails in their sent folder.
skully Posted July 23, 2018 Posted July 23, 2018 I was able to delete the smtp@skullythepirate.com address. Here is the error message I get when I try and delete the other (inforserver@skullythepirate.com (XID td9nxu) You do not have an email account named “infoserver@skullythepirate.com”.
Recommended Posts