Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
[Hacking] Wordpress Usernames Constantly Changing to Hacker Nicknames
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

[Hacking] Wordpress Usernames Constantly Changing to Hacker Nicknames

GunterGunter Member
edited December 2013 in Help

I'm on BlueVM shared hosting, and I feel like this might be an error on BlueVM's side so I'm not totally sure. It's occurring for both me and my reseller clients.

But I'm a bit confused how to remedy this issue. Everytime I create a new user to replace bu, the usernames change back to "bu" within 24 hours.

I'm not totally sure if it's a plugin that's doing it, is they any way of ensuring it isn't BlueVMs fault or a plugin?

«1

Comments

  • @darknyan said:
    I'm not totally sure if it's a plugin that's doing it, is they any way of ensuring it isn't BlueVMs fault or a plugin?

    Disable all plugins and check?

    C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

  • Have you sent in a support ticket?

  • @darknyan said:
    It took me a few days to update to Wordpress 3.8

    I'm not saying 3.7.x was insecure. 98+% of the time it's due to a bad plugin, theme, permissions, insecure password, etc.

  • More often than not its the plugins your using rather than the core wordpress files.

    Try running a sandbox site or two and test them out for security before you re-build your main site.

    Taking a hiatus.

  • I reinstalled my main website. I'll wait and see if it benefits me.

    thank you for your help, especially you @Grainga for linking me

  • GunterGunter Member
    edited December 2013

    I was hacked again today with the username: Sjsalim

    Sjsalim is the name of a script kiddie who has uploaded numerous hacking tutorials on Youtube.

    The only plugins I have (including inactive) are: Akismet, WordPress Importer, All In One SEO Pack, Jetpack, and jsDelivr. All of them are trusted plugins.

    I have only 1 theme apart from the included Wordpress themes, and it's entirely different from the original theme I had.

    I have a feeling that BlueVM is leaving some kind of hole open, is that likely?

  • BlueVMBlueVM Member
    edited December 2013

    That'd be highly unlikely or else we'd have 6,000+ reports of "my website was hacked"...

    Also our main website is hosted on the exact same setup (EG: template clone) as all of our shared nodes.

    We have CSF, weekly system scans, abuse detection, SuPHP and many other security measures in place... more than most companies bother to setup. I'd suggest having us terminate your account and recreate it and see if that solves your problem.

    BlueVM | 20% Off For Life => Coupon Code: FEBRUARYSPECIAL
  • @BlueVM said:
    That'd be highly unlikely or else we'd have 6,000+ reports of "my website was hacked"...

    Also our main website is hosted on the exact same setup (EG: template clone) as all of our shared nodes.

    I'm looking through his YouTube trying to figure out how he did it.

  • BlueVM said: I'd suggest having us terminate your account and recreate it and see if that solves your problem.

    That's really kind of you :)
    I'll backup my customer and we're set to go.

  • @darknyan - I'll need you to PM me your ticket number though... I recall answering one ticket this morning about a wordpress site issue, but I don't recall the number unfortunately.

    BlueVM | 20% Off For Life => Coupon Code: FEBRUARYSPECIAL
  • GunterGunter Member
    edited December 2013

    @BlueVM said:
    darknyan - I'll need you to PM me your ticket number though... I recall answering one ticket this morning about a wordpress site issue, but I don't recall the number unfortunately.

    Done and Done.

    Are you willing to tell us the nature of the ticket you mentioned?

  • @darknyan - It appears your ticket was in fact the ticket I was talking about... it also appears I read it, but did not respond, I wanted to check a few things first.

    BlueVM | 20% Off For Life => Coupon Code: FEBRUARYSPECIAL
  • @darknyan - I recreated your account. I HIGHLY suggest you attempt to run the wordpress install with no plugins for a few days and see how it goes.

    Also I just checked and on your server there are 143 WordPress installs via Softaculous. I did a random viewing of 10 of them just to see if they'd been hacked, but they appear fine.

    BlueVM | 20% Off For Life => Coupon Code: FEBRUARYSPECIAL
  • RalliasRallias Member, Provider
    edited December 2013

    To me it looks like a site called narviaexperiment.com has a shell on it. Was it hacked and not scrubbed?

  • Look at the plugin -- http://wordpress.org/plugins/wordfence/

    • Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.

    • Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.

  • GunterGunter Member
    edited December 2013

    @BlueVM said:
    darknyan - I recreated your account. I HIGHLY suggest you attempt to run the wordpress install with no plugins for a few days and see how it goes.

    Also I just checked and on your server there are 143 WordPress installs via Softaculous. I did a random viewing of 10 of them just to see if they'd been hacked, but they appear fine.

    The websites were not defaced at all.

    The usernames and passwords constantly kept changing.

    I will be running the website without any plugins for a couple of days.

  • @darknyan - I understand that I checked their wp_user tables.

    BlueVM | 20% Off For Life => Coupon Code: FEBRUARYSPECIAL
  • @BlueVM said:
    darknyan - I understand that I checked their wp_user tables.

    Then odds are I'm just the only one.

  • GunterGunter Member
    edited December 2013

    Once again, both my websites have been hacked.

    This time the only plugin I had enabled was Askimet. The theme and plugin aren't to blame, at this point I'm entirely confused on what to do.

    By this point, I'm convinced that BlueVM is doing something wrong or forgot to update MySQL. sadly I have no conclusive proof.

    BlueVM, is there any way whatsoever this could be related to your web hosting service? I'm not inclined to blame you but I'm pretty much lost at what I did wrong.

    not trying to ruin your reputation. just trying to get to the bottom of this.

    Hell, maybe I should just ask him how he did it.

  • Did the frontpage extension or webdav turned off?

  • @darknyan did you install your WP directly from WordPress site or did you upload the WP from your PC.

    In case you uploaded from your PC, there is a fat chance that the copy from your PC is infected with backdoor.

    Happy to be alive and kicking!

  • wychwych Member
    edited December 2013

    Are you using the default theme?

    Do you use any security plugins to prevent brute force attacks?

    Taking a hiatus.

  • @vRozenSch00n said:
    darknyan did you install your WP directly from WordPress site or did you upload the WP from your PC.

    In case you uploaded from your PC, there is a fat chance that the copy from your PC is infected with backdoor.

    I used Softaculous.

    ErawanArifNugroho said: Did the frontpage extension or webdav turned off?

    Frontpage is not installed and I don't think WebDav would be an attack vector in this case.

  • Are you using the default theme?

    One of the websites was using the default theme (no plugin but Askimet) and another was using Hum.

    I don't think Theme has any significance in this case.

  • darknyan said: I used Softaculous.

    After installing from softaculous, did you directly update your WP?

    Happy to be alive and kicking!

  • GunterGunter Member
    edited December 2013

    @vRozenSch00n said:
    After installing from softaculous, did you directly update your WP?

    softaculous directly installs the latest version of Wordpress, which is 3.8.

    There was no prompt to update Wordpress.

    When logged in, it informs me that I have the latest version.
    And

    "Last checked on December 16, 2013 at 11:53 pm."

  • If it was something from our system the other ~100 WP installs would all be infected.

    BlueVM | 20% Off For Life => Coupon Code: FEBRUARYSPECIAL
  • RalliasRallias Member, Provider
    edited December 2013

    To be honest, I've not seen ANYTHING to indicate potential compromise on BlueVM's end. And trust me when I say that I've looked hard for such evidence.

    On the other hand, narvinainvestment.com is on DimeNOC servers, so I'm thinking they have a case to deal with.

  • vRozenSch00nvRozenSch00n Member
    edited December 2013

    darknyan said: softaculous directly installs the latest version of Wordpress, which is 3.8.

    There was no prompt to update Wordpress.

    If you have time, try to reinstall it directly from WordPress if it is still hacked, then there is a possibility that someone in your node has a shell access that can compromise the neighboring account.

    Happy to be alive and kicking!

  • There's definitely no conclusive evidence on BlueVM's side, so it's probably not their fault, but at this point, I'm pretty much lost at the attack vectors.

  • @vRozenSch00n said:
    If you have time, try to reinstall it directly from WordPress if it is still hacked, then there is a possibility that someone in your node has a shell access that can compromise the neighboring account.

    I'll try out directly installing without the assistance of Softocolous then.

  • Is your control panel Kloxo or cPanel?

    Happy to be alive and kicking!

  • RalliasRallias Member, Provider

    darknyan said: I'll try out directly installing without the assistance of Softocolous then.

    If you're on freenode, ping me the moment it happens so I can look at fresh log data and see the path of intrusion. Judging from the looks of things, I very much think there's lax security at fault somewhere.

  • tchentchen Member
    edited December 2013

    @darknyan said:
    There's definitely no conclusive evidence on BlueVM's side, so it's probably not their fault, but at this point, I'm pretty much lost at the attack vectors.

    Check your PC, THEN reset your email passwords.

  • @vRozenSch00n said:
    Is your control panel Kloxo or cPanel?

    On Shared cPanel I think.

    Taking a hiatus.

  • wych said: On Shared cPanel I think.

    That eliminates one of the breach entry point possibility.

    Happy to be alive and kicking!

  • GunterGunter Member
    edited December 2013

    @tchen said:

    I scanned it last night as a precaution with Avast!

    Of course, it's entirely possible the malware is FUD though.

    Rallias said: If you're on freenode, ping me the moment

    Sure, what's your freenode username?

    Thanks too!
    It happens virtually every night.

  • Could be some skid having gained access to your computer using a RAT...

  • RalliasRallias Member, Provider

    darknyan said: Sure, what's your freenode username?

    It's rallias or gasseus (depends if freenode keeps stable).

  • Last time when I'm using SemoWeb reseller hosting, my website keep getting hacked, because one of my friend using Wordpress, and his site is hacked again and again.

    But after I moved the website to my own cpanel server, it's safe. The problem is from the frontpage extension and the webdav

  • @darknyan with @Rallias you are in good hands.

    Happy to be alive and kicking!

  • GunterGunter Member
    edited December 2013

    @c0y said:
    Could be some skid having gained access to your computer using a RAT...

    Yeah, it might be the best idea to completely reset my computer.

    Though all my other accounts and passwords are just fine. It's really just Wordpress being affected.

  • bdtechbdtech Member
    edited December 2013

    Lock down wp-login to your IP (or htpasswd), reset all your WP config salts, change your passwords for WP and SFTP; then run wordfence

  • darknyan said: I scanned it last night as a precaution with Avast!

    Of course, it's entirely possible the malware is FUD though.

    Try Malwarebytes.. it found zeus virus on my computer when avast could not.

    http://www.malwarebytes.org/

  • @earl said:

    Will do.

    Will also get Google Authenicator because I'm tired of having to deal with password attacks.

  • BrianHarrisonBrianHarrison Member, Provider

    @darknyan said:
    There's definitely no conclusive evidence on BlueVM's side, so it's probably not their fault, but at this point, I'm pretty much lost at the attack vectors.

    You are running your own VPS correct? If so, setup a robust set of mod_security rules (AtomicCorp rule sets are good). You might be able to block the attack and then review your logs to identify precisely what they were targeting. I'd guess they're exploiting some sort of vulnerable plugin.

    Reprise Hosting (AS62838) Intel Xeon L5520, 1TB SATA, 4GB RAM, 10TB BW, $27/mo with DED10 promo! Cheap dedicated servers.
    VPSHostingDeal.com - Low-cost self-managed OpenVZ + Xen cheap VPS hosting. Plans starting at $12 PER YEAR! Cheap VPS.

  • Recaptcha can help secure the login form against brute force attacks.

    Taking a hiatus.

  • GunterGunter Member
    edited December 2013

    Its definitely not a plugin, unless Askimet had a huge security flaw and the guy wasn't a script kiddie.

    I'm using shared hosting from BlueVM. Excellent provider by the way.

Sign In or Register to comment.