engrish Posted July 23, 2018 Posted July 23, 2018 Not actually suspended, but WP was hacked like the rest of the recent suspended accounts. Can't login at cpanel and can't reset my cpanel password. The WP installation is at http://engrishcheck.me/blog Please advise and help! Thank you! Username: engrchkServer: TommyMain domain: engrishcheck.me
Byron Posted July 23, 2018 Posted July 23, 2018 Also see this thread for fixing your site: https://www.helionet.org/index/topic/33553-suspended-jptiger/
engrish Posted July 24, 2018 Author Posted July 24, 2018 I started my investigation by first going through the access logs. My guess is that the attacks started on the 17th of July. First, on the 17th of July there were hundreds of attempts to login at my WP site from this IP: 23.94.66.178 - - [17/Jul/2018:22:19:59 +0000] "POST /blog//wp-login.php HTTP/1.0" 401 3448 "-" "-" The IP is somewhere in Bufallo, NY: https://ipalyzer.com/23.94.66.178IP Owner is someone named ComelyHost Then, I found this IP was trying to access my WP site several times on the 20rd of July. Here is the info from the log: 95.174.64.69 - - [20/Jul/2018:03:15:50 +0000] "GET //blog/wp-login.php HTTP/1.1" 200 1687 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.7.2 Safari/533.24"95.174.64.69 - - [20/Jul/2018:03:15:53 +0000] "GET //blog/?author=1 HTTP/1.1" 200 9301 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.7.2 Safari/533.24" This kept going until "GET /blog/?author=30". The IP is somewhere in Milan, Italy: https://ipalyzer.com/95.174.64.69IP Owner is someone named GLOBALAXS NOC MILAN Then on the same day this: 46.250.4.149 - - [20/Jul/2018:18:17:20 +0000] "GET //blog/?author=1 HTTP/1.1" 200 9301 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:52.56.09) Gecko/20167285 Firefox/52.56.09" This kept going until "GET /blog/?author=29". The IP is somewhere in ODESSA, UKRAINE: https://ipalyzer.com/46.250.4.149IP Owner is someone named TOV TRK Briz Then again on the 23rd this IP was trying to access my WP site several times 41.149.72.132 - - [23/Jul/2018:06:14:04 +0200] "GET /blog/?author=1 HTTP/1.1" 301 246 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15" This kept going until "GET /blog/?author=10". Then it tried to access this for hundreds of time: 41.149.72.132 - - [23/Jul/2018:04:14:36 +0000] "POST /blog//wp-login.php HTTP/1.1" 301 250 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15" The IP is somewhere in South Africa: https://ipalyzer.com/41.149.72.132IP Owner is someone named Markus Stoltz Any comments? What kind of WP vulnerability allowed that to happened and managed to get cpanel access? Must be 0day, since I religiously update WP to the latest release...
engrish Posted July 24, 2018 Author Posted July 24, 2018 Brute force attack? I found this about something called "user enumeration attack". https://perishablepress.com/stop-user-enumeration-wordpress/
engrish Posted July 24, 2018 Author Posted July 24, 2018 I have a feeling that the compromise was based on this: https://secupress.me/blog/wordpress-core-vulnerability-496/
Recommended Posts