hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Running a Web Hosting Business : Phishing Hacks
Reply

Forum Jump

Phishing Hacks

Reply Post New Thread In Running a Web Hosting Business Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
*

Phishing Hacks


Hello,

Recently files have been added to some accounts under our servers (all WordPress accounts). They all follow the same pattern, as wp-apps.php and wp-configure.php files are added which contain malicious content. I've checked the account which has been affected below and there doesn't seem to be any rogue plugin, or any plugin which is the same as in any other account which has been affected, apart from the default plugins.

Here is part of the log for last night (when the malicious files were added):

*I've starred out personal details such as the domain and username*

Quote:
93.172.144.240 - - [09/Mar/2012:20:12:20 +0000] "GET /wp-apps.php?image=smiley HTTP/1.1" 200 92 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:20 +0000] "GET /wp-apps.php?image=folder HTTP/1.1" 200 90 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:19 +0000] "GET /wp-apps.php HTTP/1.1" 200 110942 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=hidden_file HTTP/1.1" 200 93 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=file HTTP/1.1" 200 93 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=arrow HTTP/1.1" 200 70 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:06 +0000] "GET /wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1 HTTP/1.1" 200 10968 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=smiley HTTP/1.1" 200 92 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=folder HTTP/1.1" 200 90 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=arrow HTTP/1.1" 200 70 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
What seems interesting is this line:

Quote:
93.172.144.240 - - [09/Mar/2012:20:13:06 +0000] "GET /wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1 HTTP/1.1" 200 10968 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
It appears, if I am correct, that the hacker is trying to get into the public_html directory to upload/modify files using the wp-apps.php file?

We have fixed all the sites now within minutes of being aware that these files existed but how can we prevent this from happening in the future? It's happened on at least three occasions and that's three too many... We're using cPanel on Cent OS 5.

Really appreciate any help - thanks!

James

__________________
Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
Shared Web Hosting | Reseller Hosting



Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: May 2009
Location: Area 51
Posts: 1,282
I know this is the most annoying question but do you know if all of the Wordpress/plugins/themes were up to date?

9 times out of 10 Wordpress installs being hacked is down to running old versions.

__________________
Zomex - We specialize in > web hosting templates < New responsive template!
We offer the best web hosting templates (WHMCS and/or Wordpress based!)
█ We also provide > WHMCS Configuration < Integration & web hosting business setup

  #3  
Old
Junior Guru Wannabe
 
Join Date: Jan 2011
Location: Plymouth, UK
Posts: 98
All completely up to date on that account, I've just checked.

Sponsored Links
  #4  
Old
Web Hosting Master
 
Join Date: Dec 2001
Posts: 5,221
Good day:

Make sure that http://codex.wordpress.org/Hardening_WordPress is done for each WordPress site.

Thank you.

__________________
---
Peter M. Abraham
LinkedIn Profile


  #5  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 98
Apart from the wordpress installation and plugins being up to date, I'll check all the theme folders for the timthumb script. This is usually named timthumb.php or thumb.php. If there's a "cache" directory within the theme folder, it's also a pretty good give away.

These outdated scripts have wreaked havoc across quite a number of sites hosted by us, before we coded a script to search for and update this little script.

Open the the timthumb script and check the versions. If memory serves, pre 1.28 were an issue, but I would be skeptic of anything lower than version 2.x.

New version can be found here: http://code.google.com/p/timthumb/

It's a bit of a shot in the dark due to the access attempts on the wp-app.php file you mentioned, but I believe it's definitely worth a look.

__________________
The most effective way to host your site


Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Phishing UH-James Running a Web Hosting Business 2 02-24-2012 10:44 AM
How's the phishing? bear Web Hosting Lounge 11 06-19-2008 09:10 AM
Phishing email: beware of phishing / Fraudulent site http://secure.us-gmail.com/ unixcares Web Hosting Lounge 3 03-06-2008 11:35 PM
Hacks for whatever Starsurfer Other Offers & Requests 5 10-09-2005 01:32 PM
VB Hacks Anyone? Bosco Other Offers & Requests 4 11-14-2002 08:26 PM

Related posts from TheWhir.com
Title Type Date Posted
Hackers Gain Access to ICANN Network Through Compromised Employee Credentials Web Hosting News 2014-12-18 11:39:43
Majority of Phishers Targeting Chinese; Phishing Up 60 Percent: Report Web Hosting News 2014-05-01 08:33:51
Mali .ml Domain Phishiest TLD of Any Country in the World: Netcraft Web Hosting News 2013-09-05 14:17:19
Phishing Attack Hosted on Malaysian Police Site with SSL Certificate Web Hosting News 2013-06-06 15:54:43
APWG Study Finds Phishers Increasingly Target Shared Virtual Servers Web Hosting News 2013-04-29 12:21:11


Tags
cpanel, hack, hacked, logs, phishing, wordpress, wp-apps, wp-configure

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?