[Solved] Suspended: etilkdoo

[etilk]

I was not able to login to server and it is now suspended. Can you renew my account?

a. HelioHost username: etilkdoo
b. server your account is on: Tommy
c. HelioHost main domain: etilk.com

 

 

[Luigi123]

I will check your account later when I get to my PC.

[wolstech]

This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended.

 

An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing.

 

As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.

[etilk]

Thanks god I have backup. But how do I prevent this if I cannot migrate from WordPress? With more often updates?

Also on what email account did you sent me invitation. Emails at @etilk.com are hosted here on suspended account. So can you send it to jakob.hostnik@gmail.com?

 

Thank you

Edited July 29, 2018 by etilk

[etilk]

Oh and also can you explain what is AnonymousFox hack to me. I was not able to find anything useful about it on Google.

We had troubles with brute force attacks on our sites. But they were trying to guess password for not existing usernames. Then we just blocked IPs that are not from our country.

 

Can you tell me since when we could be affected with malware. So I can restore right backup. When I check our backups and diffs (we do backup using git) there is nothing unusual in our backups.

 

Thank you

[etilk]

Oh wait! I found new user in database... Do you have an idea how they did that?

[etilk]

Can you at lest send me server logs about that attack? So we can follow attacker?

And can you give me an advice how to prevent such attacks, because I do not know where leak was.

 

Thank you.

Edited July 29, 2018 by etilk

[etilk]

One possible way that I see is directly through ftp. Do you have any brute force attack protection on ftp? Because it was not brute force directly on WP site it would notify me.

[wolstech]

The anonymous fox hack is believed to work using an unfixed security hole in the WP core. People have had WP hacked using fully updated installs with no extensions and nothing else on the account. There is no fix for WP at this time aside from not using WP.

 

The hack also seems to affect older Joomla, but not the latest versions (we found one of the folder/script setups used by "F0x" as he calls himself on a compromised account, he had a few Joomlas in the target lists, but inspection shows only 2 of the hacks succeeded, both were running 1.x).

 

Once infected, the hack does spread outside the WP install. The WP install itself will have a tampered index.php, random number files in the folders, tampered htaccess, the user in the DB, and sometimes a phishing site or spambot buried in the themes or WP-admin folder. The index.php in the root of public_html is also usually malicious, a php.ini usually appears (doesn't do anything on our server), and sometimes you'll find folders called index and config that are also full of malware. The random number php files can also appear just about anywhere. Some users have reported a hidden folder called .F0x appearing in public html or their home dir too.

 

We don't have any logs that can be released due to sensitive information. The hack can be found online though. Google "AnonymousFox Wordpress" and you'll find others reporting the same hack on other hosts and the WP boards.

 

Yes we have brute force protection. It blocks your IP after 5 bad attempts in a 1 hour span. He would need a botnet to meaningfully brute force anything.

 

Invite resent. Please check your spam, they sometimes end up in there.

[etilk]

Thank you very much!

I contacted police and it would be great if I can send them logs. Can you send it to me? Or will you send it directly to them?

I found your email in spam. But because your form automatically fills my username I sent wrong username. jakobhos instead of etilkdoo. This is important, because we cannot modify whole backup system. Can you delete account jakobhos and send me new invite?

Also can you delete some old account jackyyes. Because of it I cannot link this forum account to etilkdoo.

Thank you very much.

[wolstech]

You won’t be able to reuse your username since it’s attached to the banned account and cannot be removed without deleting the account (which destroys the hacking evidence inside).

 

I can delete your new account and resend the invite if you wish, but the new account will ultimately need to have a different username anyway. Do you want me to this?

 

As for the logs, can you make a separate post for that regarding the police wanting logs? Krydos would be the one to handle that if possible, and he would want them to contact us directly if they’re interested in any logs.

[etilk]

OK. Can you then delete jakobhos account and I will create new one with different username. Thank you.

[wolstech]

This needs to be fixed before I can delete this and resend the invite to you: https://www.helionet.org/index/topic/33702-website-down/

[wolstech]

Account removed and new invite sent