• On the server I have over 200 sites.

    All sites that had “iThemes Security” are hacked, so they admin username (different name but all have id: 2) changed to “indoxploit” and a plugin “iThemes Security” deactivated.

    Only one site where the old version “iThemes Security” not hacked. And it’s activated a change ID 1 in 500. (The user with id 1 has been removed.)

    But this option does not see the new version.

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 3 replies - 1 through 3 (of 3 total)
  • If you have 199 sites hacked out of 200 all on the same server… there is a good change that it has nothing to do with your WordPress sites, plugins, or themes. Its probably more likely that the intruder is already in your server.

    As for where to find the option to change user information, check out this screenshot – https://cl.ly/1M3u2g1w3Z3o

    i am running into this as well. it appears they are only able to compromise sites that have a default table prefix. is this true for you as well?

    i think they know a hole in wp that is not yet disclosed….

    i found an exploit toolkit that had been uploaded to another site that was allowing this mass exploit with what appears to be a buffer overflow

    files to look for if you run into this:
    1337w0rm.php
    adminer.php
    cendol.php
    cikree.php
    idx_config/*txt
    jadi.php
    mk (1).php
    pler.php
    rabbit_grab/*.txt

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked sites with iThemes Security’ is closed to new replies.