Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Hacking] Wordpress Usernames Constantly Changing to Hacker Nicknames - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Hacking] Wordpress Usernames Constantly Changing to Hacker Nicknames

2

Comments

  • vRozenSch00nvRozenSch00n Member
    edited December 2013

    darknyan said: softaculous directly installs the latest version of Wordpress, which is 3.8.

    There was no prompt to update Wordpress.

    If you have time, try to reinstall it directly from WordPress if it is still hacked, then there is a possibility that someone in your node has a shell access that can compromise the neighboring account.

  • There's definitely no conclusive evidence on BlueVM's side, so it's probably not their fault, but at this point, I'm pretty much lost at the attack vectors.

  • @vRozenSch00n said:
    If you have time, try to reinstall it directly from WordPress if it is still hacked, then there is a possibility that someone in your node has a shell access that can compromise the neighboring account.

    I'll try out directly installing without the assistance of Softocolous then.

  • Is your control panel Kloxo or cPanel?

  • darknyan said: I'll try out directly installing without the assistance of Softocolous then.

    If you're on freenode, ping me the moment it happens so I can look at fresh log data and see the path of intrusion. Judging from the looks of things, I very much think there's lax security at fault somewhere.

  • tchentchen Member
    edited December 2013

    @darknyan said:
    There's definitely no conclusive evidence on BlueVM's side, so it's probably not their fault, but at this point, I'm pretty much lost at the attack vectors.

    Check your PC, THEN reset your email passwords.

  • @vRozenSch00n said:
    Is your control panel Kloxo or cPanel?

    On Shared cPanel I think.

  • wych said: On Shared cPanel I think.

    That eliminates one of the breach entry point possibility.

  • GunterGunter Member
    edited December 2013

    @tchen said:

    I scanned it last night as a precaution with Avast!

    Of course, it's entirely possible the malware is FUD though.

    Rallias said: If you're on freenode, ping me the moment

    Sure, what's your freenode username?

    Thanks too!
    It happens virtually every night.

  • Could be some skid having gained access to your computer using a RAT...

  • darknyan said: Sure, what's your freenode username?

    It's rallias or gasseus (depends if freenode keeps stable).

  • Last time when I'm using SemoWeb reseller hosting, my website keep getting hacked, because one of my friend using Wordpress, and his site is hacked again and again.

    But after I moved the website to my own cpanel server, it's safe. The problem is from the frontpage extension and the webdav

  • @darknyan with @Rallias you are in good hands.

  • GunterGunter Member
    edited December 2013

    @c0y said:
    Could be some skid having gained access to your computer using a RAT...

    Yeah, it might be the best idea to completely reset my computer.

    Though all my other accounts and passwords are just fine. It's really just Wordpress being affected.

  • bdtechbdtech Member
    edited December 2013

    Lock down wp-login to your IP (or htpasswd), reset all your WP config salts, change your passwords for WP and SFTP; then run wordfence

  • darknyan said: I scanned it last night as a precaution with Avast!

    Of course, it's entirely possible the malware is FUD though.

    Try Malwarebytes.. it found zeus virus on my computer when avast could not.

    http://www.malwarebytes.org/

  • @earl said:

    Will do.

    Will also get Google Authenicator because I'm tired of having to deal with password attacks.

  • BrianHarrisonBrianHarrison Member, Patron Provider

    @darknyan said:
    There's definitely no conclusive evidence on BlueVM's side, so it's probably not their fault, but at this point, I'm pretty much lost at the attack vectors.

    You are running your own VPS correct? If so, setup a robust set of mod_security rules (AtomicCorp rule sets are good). You might be able to block the attack and then review your logs to identify precisely what they were targeting. I'd guess they're exploiting some sort of vulnerable plugin.

  • Recaptcha can help secure the login form against brute force attacks.

  • GunterGunter Member
    edited December 2013

    Its definitely not a plugin, unless Askimet had a huge security flaw and the guy wasn't a script kiddie.

    I'm using shared hosting from BlueVM. Excellent provider by the way.

  • @wych said:
    Recaptcha can help secure the login form against brute force attacks.

    Instead of Recaptcha, I decided to use Google Authenticator.

  • SreeSree Member
    edited December 2013

    @darknyan

    Re-install WordPress

      Install Better WP Security plugin
    • apply basic protection
    • Hide your admin area
    • change admin username
    • Prevent long URL strings

    If you are a reseller your clients can hack ur accounts and ur clients accounts by simply uploading a cpanel hacking script.

  • @darknyan said:
    But I'm a bit confused how to remedy this issue. Everytime I create a new user to replace bu, the usernames change back to "bu" within 24 hours.

    Maybe you are interested in how to secure your wordpress blog.

  • nunimnunim Member
    edited December 2013

    >

    Atomic rulesets are no longer free =/

  • Try NOT installing Wordpress using Softaculous. Do a manual installation. There may be an issue with how Softaculous does the installation causing security flaws.

  • BrianHarrisonBrianHarrison Member, Patron Provider

    @nunim said:
    Atomic rulesets are no longer free =/

    Ahh, seems that they stopped offering their delayed ruleset free of charge back in late October. This appears to be a solid alternative: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

    We'd be happy to share our mod_security rule set with any other hosts. Contains additions to protect against WHMCS vulnerabilities.

  • GunterGunter Member
    edited December 2013

    @Magiobiwan said:
    Try NOT installing Wordpress using Softaculous. Do a manual installation. There may be an issue with how Softaculous does the installation causing security flaws.

    This time, I installed Wordpress manually, and with Google Authenicator as well. The overnight hackings stopped immediately. I wouldn't be surprised if Softaculous was responsible, seeing as SQL injection was the most likely attack vector.

    I still imported the Wordpress install into Softaculous to make automated backups.

  • @darknyan - Glad to hear things are working better for you...

  • netomxnetomx Moderator, Veteran

    I'm intrigued to know what softaculous is doing

  • @netomx said:
    I'm intrigued to know what softaculous is doing

    I softacolous installed once with Google Authenicator and it got hacked regardless.
    When I did a manual install, it just cleared up.

Sign In or Register to comment.