Fsmv2 Posted August 9, 2018 Posted August 9, 2018 Username: fsmvDomain: sapium.netServer: not sure, maybe Tommy?
Byron Posted August 10, 2018 Posted August 10, 2018 This account has a compromised CMS installation that has been affected by the recent AnonymousFox hack and cannot be unsuspended. An invitation will be sent to you shortly so you can create a new account. Please restore your data using a backup. The data from your old account cannot be recovered or returned to you due to the possibility of the account having been used for Phishing. As a reminder, when selecting a CMS, we highly recommend that users not use WordPress. WP and it's extensions are notorious for having security issues such as the one you (and everyone else on Tommy) experienced, and it has the worst security track record of any CMS out there. Using a different program will help prevent this from happening again.
Fsmv2 Posted August 10, 2018 Author Posted August 10, 2018 Man, that's unfortunate. Thanks for staying on top of the vulnerabilities. It's better to have it taken down than have my site used for malicious purposes. I had been meaning to take it off wordpress and make a static copy of the site for posterity. I guess I waited too long. Do you have a link about this hack? I couldn't seem to find anything online. Do you think that the attacker may have scanned all heliohost sites for wordpress? Hopefully they have not compromised anything other than some wordpress sites. My website was linked in very few places online (basically only my profiles), so I'm sort of surprised it was even found. I suppose it's possible they scanned all of ipv4 for wordpress sites.
wolstech Posted August 11, 2018 Posted August 11, 2018 WP themselves has been making an effort to actively deny this hack happened. They deleted numerous posts on their forums, and the hacker one reports just get closed saying no bug found... Meanwhile, just about every single WP on tommy got hacked. We found an account that we believe was the launch point for the attack. For Wordpress, it's known to work on the latest version with no extensions installed. There's reports of it from other users and hosts on WPs site back to June of 2017, so this has been around for a while and remains unfixed. The results of the attack are malware shells all over, modified index.php, and a php.ini file being dropped in several folders (useless on our servers, we don't allow ini overrides). Some accounts have a folder called index or config dropped in their public_html, generally also containing the above malicious files. Accounts that were actually used by the attacker after infection generally had a Paypal phishing site set up somewhere within wp-admin or the themes folders. A number of them also had a spambot known as leafmailer uploaded, which was then used to send phishing emails to get people to visit the aforementioned phishing websites. We began noticing the issue when tons of people were suddenly being suspended for high load or too many emails...then abuse reports for the phishing sites started coming in and we were having to hand out phishing bans to a large number of our longtime users' accounts. That's when we investigated and determined it was a mass hack...since the hack was easily detectable on an account, a mass-ban of all hacked accounts promptly followed.
Fsmv2 Posted August 11, 2018 Author Posted August 11, 2018 (edited) I think I will take this opportunity to say thanks for doing this all these years, you guys are amazing. Great to see people just doing good in the world. I'm finally going to send a donation and move to paid hosting to free up the space for some young programmer who can't pay for hosting yet like I once was. Thanks for the information too. That sounds like a pretty serious hack. Hopefully people aren't just restoring wordpress and getting hacked again. Edited August 11, 2018 by Fsmv2
Recommended Posts