wolstech Posted July 21, 2018 Share Posted July 21, 2018 So, I'm seeing a lot of this today. WordPress installs on Tommy are getting hacked left and right. I even got mine hacked when it was fully up to date with no plugins beyond a port checker. Even weirder is that the cPanel password of a compromised account is being changed too. Mine changed, and I know it was not the same password as WP was. The things I've noticed is that its very consistent. All affected accounts so far (rax2, z9xdream, danval, usr8481, metals) are:On TommyRunning WordPressHave had their cPanel password changed by the hackerHave had their WP hacked and a backdoor/shell installed.Username in WP is changed to "AnonymousFox" I described the visible effects of a hacked WP here (as seen on my own account): https://www.helionet.org/index/topic/33543-suspended/?do=findComment&comment=150433 Any ideas on this? Link to comment Share on other sites More sharing options...
yashrs Posted July 21, 2018 Share Posted July 21, 2018 Same with me Link to comment Share on other sites More sharing options...
Krydos Posted July 21, 2018 Share Posted July 21, 2018 It looks like metals was the first wordpress hacked externally, and then he used a scanner on that account to look for other wordpress installs. If you don't remember metals was the account that was causing massive issues on Tommy and was banished to Johnny for quite a while because of it. Link to comment Share on other sites More sharing options...
yashrs Posted July 22, 2018 Share Posted July 22, 2018 It looks like metals was the first wordpress hacked externally, and then he used a scanner on that account to look for other wordpress installs. If you don't remember metals was the account that was causing massive issues on Tommy and was banished to Johnny for quite a while because of it.How can he scan other users files? Link to comment Share on other sites More sharing options...
wolstech Posted July 22, 2018 Author Share Posted July 22, 2018 I'm betting he scraped DNS and searched for other domains running WP with the same IP. I can't think of any way he'd be able to browse across accounts locally. One user won't have access to another's home folder. Link to comment Share on other sites More sharing options...
skully Posted July 22, 2018 Share Posted July 22, 2018 (edited) AnonymousFox info / screenshot I got from wordfence.... Edited July 22, 2018 by skully Link to comment Share on other sites More sharing options...
eeze Posted July 22, 2018 Share Posted July 22, 2018 Immediately after my account was compromised, a verification HTML file was added to public_html associated to Google Search Console. The Google account user that was added as an owner was umartynukalia65@gmail.com Link to comment Share on other sites More sharing options...
wolstech Posted July 23, 2018 Author Share Posted July 23, 2018 Looks like the compromise's purpose was not just phishing emails with that leafmailer.php, but they're setting up the actual phishing websites on them as well. I suspect a lot of our Tommy users who aren't aware of this hack are about to get Phishing bans I just banned an account that had a phishing site uploaded (Bank of America phishing). I check its databases and confirmed that it was indeed AnonymousFox'd. This guy had his account for a year. His domain is now flagged on google as Deceptive as well... /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/Validation/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/b400207e72aeab4eeffc53d317b8f5d6/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/25fd28df336fcf7ae0fd51a5881a7b91/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/dc4a49c1f699bf96baae178003c659a9/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/c9b235e46164fa42699a51a44b192fbf/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/4c9fabe8e899cf54cabeb8952e56682d/step6.php /home/droidsta/public_html/wp-admins/euihdus/ewudhuwohdojas/bofa.sec.2018/bofa.sec.2018 /worxsz/bdfc473696eadceec723041abd35d4ef/step6.php 1 Link to comment Share on other sites More sharing options...
skully Posted July 23, 2018 Share Posted July 23, 2018 (edited) Just found hacked config, index, and htaccess files on main cpanel separate from wordpress folder. Searched for files changed on July 20th (day of hack) and these came up (see below) I also found a perl5 folder on directory that was modified on that date? One more question... I have these listed in email accounts that I did not create...Is it being used as a spam mailer & should I delete?infoserver@skullythepirate.comsmtp@skullythepirate.com Need instructions on how to delete these and replace with valid files Edited July 23, 2018 by skully Link to comment Share on other sites More sharing options...
wolstech Posted July 23, 2018 Author Share Posted July 23, 2018 That htaccess is normal, those two folders with the random number files and php.ini are malware and should be deleted in their entirety. Link to comment Share on other sites More sharing options...
skully Posted July 23, 2018 Share Posted July 23, 2018 the two email addressed I listed in previous post... infoserver@skullythepirate.comsmtp@skullythepirate.com I didn't create them... can they be deleted or are they needed by email system? Link to comment Share on other sites More sharing options...
wolstech Posted July 23, 2018 Author Share Posted July 23, 2018 Nope. Both are likely from the malware. If they aren't yours, remove them. If you check them, I'll bet they have phishing mails in their sent folder. Link to comment Share on other sites More sharing options...
skully Posted July 23, 2018 Share Posted July 23, 2018 I was able to delete the smtp@skullythepirate.com address. Here is the error message I get when I try and delete the other (inforserver@skullythepirate.com (XID td9nxu) You do not have an email account named “infoserver@skullythepirate.com”. Link to comment Share on other sites More sharing options...
Recommended Posts