• Resolved rod

    (@nomadarod)


    Hi,
    My website was hacked some weeks ago. After some cleaning and security measures it has been pretty calm; no more admin users created nor email accounts in Cpanel. But I wonder how can I be sure?

    In the Live Traffic tab in Wordfence I noticed that some coinciding attempts to login were coming from the Netherlands. And I noticed that one of the blocked attempts was this one:
    https://delasciencealassiette.fr/ubpxwlwy.php?Fox=d3wL7

    Can anyone explain why a .php file different from the usuals “.aws/credentials” or “info.php” or “config.js” attempts?

    Can you help me to know what I can do to be assured that there are no infected files that the scan might be missing?

    EDIT: I also found all these visitor entries in clicky analytics:

    10:28 Brazil flag 187.72.192.0 /ubpxwlwy.php
    10:28 The United States flag 72.240.108.0 /ubpxwlwy.php?Fox=d3wL7
    10:28 Poland flag 91.150.166.0 /ubpxwlwy.php?Fox=d3wL7
    10:28 The United States flag 208.53.243.0 /ubpxwlwy.php?Fox=d3wL7
    10:28 The United States flag 205.213.108.0 /ubpxwlwy.php

    Grateful
    Rod

    • This topic was modified 2 years, 6 months ago by rod.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thanks for reaching out.

    The requests to access /ubpxwlwy.php are likely because that file was malicious. It could have allowed someone to open a shell or backdoor so they could access the server. Since I think it has been removed now, the attempts may come but they aren’t doing any good. Attempts to access info.php are trying to see your server configuration. Attempts to see .aws/credentials are looking for any Amazon Web Services access keys and secret access keys. Generally any configuration files like these should not be accessible by browsing to them.

    You can always block the IPs you see in Wordfence if you want. You could also add /ubpxwlwy.php to the option that says “Immediately block IPs that access these URLs” on the Wordfence > Firewall > All Firewall Options page on your website in the Advanced Firewall Options section.

    Since you know you were compromised, I’ll add this. You can use Wordfence to clean your site. There is a guide available here that can help walk you through the process. Even if you have already cleaned the site, the guide is a helpful step by step so you make sure you didn’t overlook anything.

    Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
    https://www.ads-software.com/download/releases/
    WordPress sometimes even patches their older releases if a vulnerability that was found so make sure to update your version if needed.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
    https://wordfence.com/learn

    If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers such a service for this. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    I hope this helps.

    Tim

    Thread Starter rod

    (@nomadarod)

    Hi Tim,

    I guess this type of thing was entering through my site’s installation through that file then? And maybe it still got in later, after I added Wordfence and changed the passwords, because because the server was already infected?

    Question: If the file would have still been there (inside the public_html folder) would Wordfence still be able to block the attempt? Or I may need another tool that tells me if any modifications were done in the site’s files?

    Thank you for putting it so clear and for the tutorials. I’ll take care of that.

    Feels good to have a few weeks of calm without rechanging all website’s files and CPanel passwords. Thank you for the that great tool of Wordfence.

    Cheers,
    Rod

    Rod

    Entering via that file sounds logical. I checked and we don’t have that particular file name in our threat database but that’s likely because the name is randomly generated on every new infected host.

    If a site is already infected sometimes it will worm its way into many places and hide as best it can. It’s always easier to prevent an infection than to clean it because of that. Still, it can be done. Just follow the steps I sent.

    Tim

    Thread Starter rod

    (@nomadarod)

    Hi Tim,

    I was hopping that the website wouldn’t be infected anymore, as still today I see entries in the live traffic tab of Wordfence as
    ” Netherlands was blocked by firewall for Known malicious User-Agents at https://delasciencealassiette.fr/wqaofwbl.php?Fox=d3wL7
    5/9/2022 11:39:38 AM (2 hours 9 mins ago)”

    But… I also see entries in clicky analytics for yesterday as:
    “`23:29 El Salvador flag 190.5.159.0 /ubpxwlwy.php?Fox=d3wL7”
    the same thing from 3 different IP addresses, that are NOT blocked nor registered in Wordfence.
    I wonder if, as it is registered in Clicky[dot]com but not in Wordfence, it means that it got in?

    I don’t see any such files in the Public_html folder.

    Greetings,
    Rod

    Just because you cleaned the site doesn’t mean you wouldn’t see attempts to access the malicious file. If the file doesn’t exist, they may have visited the site but they only got as 404 file not found error unless you redirect those to a valid page, like the front page for example. Incidentally you shouldn’t do that because then Google will index /ubpxwlwy.php because it gets valid responses. Again, you can block those IPs permanently as you see them come in or not. It’s up to you.

    The first block was for a known malicious user agent but it does reference another page, /wqaofwbl.php so you should probably make sure that isn’t there.

    Tim

    Thread Starter rod

    (@nomadarod)

    Hi,
    Thanks Tim once again for your support. That assured me.

    cheers,
    Rod

    Debes usar cloudflare como primera puerta de acceso, bloquea varios bot conocidos. y con sus reglas descartas varios lugares del mundo donde solo te llega basura

    Al Reaud

    (@catwhisperer4reals)

    That is the lovely ALFA TEaM Shell you were probably infected with.
    https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update-analysis.html

    I’ve some scans recently originating from only four IP addresses, all apparent VM’s in the US on MSFT. Somehow they believe they dropped something on my site, or are just generically rooting around. The logs show for one probe cycle (I’ve got them blocked so they get dropped now, after establishing the pattern of the queries):

    20.196.128.67 - - [18/Sep/2022:14:04:49 +0000] "POST /wp-plain.php HTTP/1.1" 404 40378 "www.google.com" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
    
    20.196.128.67 - - [18/Sep/2022:14:04:50 +0000] "GET /zkcqkcrr.php?Fox=d3wL7 HTTP/1.1" 404 35657 "www.google.com" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
    
    20.196.128.67 - - [18/Sep/2022:14:22:23 +0000] "POST /ALFA_DATA/alfacgiapi/perl.alfa HTTP/1.1" 404 40378 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
    
    20.196.128.67 - - [18/Sep/2022:14:22:23 +0000] "POST /alfacgiapi/perl.alfa HTTP/1.1" 404 35657 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"

    What’s funny about this one is that it says it is a “Samsung Galaxy”, I believe, however nmap only finds port 3389 open, “Microsoft Terminal Server (RDP)”… [rolleyes]

    • This reply was modified 2 years, 2 months ago by Al Reaud.
    • This reply was modified 2 years, 2 months ago by Al Reaud. Reason: HTML tags don't appear to be workng
    • This reply was modified 2 years, 2 months ago by Al Reaud.
    • This reply was modified 2 years, 2 months ago by Al Reaud.
Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Anonymousfox hack’ is closed to new replies.