Jump to content

Recommended Posts

Posted (edited)

Server: Tommy
Domain: skullythepirate.com

 

I reinstalled WP after the hack and deleted all files from database, directory and email that had been affected (anonymousfox).

everything has been working completely normal since I reinstalled. I have seen no evidence of phishing originating from my site.

 

To be honest, advance notification about pending suspension would have been appreciated if it was related to wp install.

Because of the suspension, I'm unable to receive email from several domains, which is problematic since they are used on ebay and several other sites that require prompt responses.

 

I do not have a back up to this domain, had I known in advance of suspension I could have done so.

 

I do understand the disruption such a hack creates for you guys and appreciate your service.

 

Thanks!

Edited by skully
Posted

I unsuspended you again. I think you still have something compromised though. Our servers were updated yesterday to auto suspend anyone who executes the malicious files or has the anonymousfox user present.

 

Note that even though WP is the attack vector, we've found the hacker sometimes places the modified index.php files and the malware random number files well outside of WP installs on compromised accounts. Open all of your index.php files and ensure there's no random gibberish or eval statement at the top.

Posted

It won't stay unsuspended so I may end up needing to give you a new account after all. I'll take a closer look when I'm at a pc later this morning.

 

EDIT: You missed a malicious index.php in the root of public_html. I've deleted it for you and took a look through your other folders. Your account now seems to be staying unsuspended. I put in a test index file pointed to /wp/ so your dir listing isn't showing, however I don't know if the content is correct for the domain.

Posted (edited)

Checked this morning and found the following, not sure if these are problems....
also discovered a F0x folder which I put in trash (doesn't delete when I try to empty trash?), still looking around for additional problems

haven't been able to connect to sftp this morning and still unable to receive email
skullythepirate.com/wp site is opening and content is in order

 

UPDATE: Looks as though Drupal and Joomla may be infected also based on what I see in F0x folder

 






 

Edited by skully
Posted (edited)

That's the stuff AnonymousFox used to compromise the server by the looks of it. We thought metals was to blame, but it looks like your account may be the initial entry point based on that. Krydos and I will find those files very interesting, and some security researchers may as well.

 

EDIT: You will be getting a new account. There's things like direct symlinks to system files on your account.

 

An invite will be sent shortly once I get your domains released so you can use them again.

Edited by wolstech
Security Issue - New account...
Posted (edited)

That folder and file listing was not in my directory before today...

 

I deleted some of the files I found that related to my site but everything else is as I discovered it an hour or so ago.

 

You didn't find that file when you looked yesterday?

 

Thanks again and hopefully this info can help prevent future security issues

Edited by skully
Posted

link you provided gave me this message...

 

Sorry, we couldn't find that!

[#103139]

You do not have permission to view this forum.

Guest
This topic is now closed to further replies.
×
×
  • Create New...