We just found this ‘administrator’ in our site – we kicked him out and so should you

There is no escape from it, each day the site is targeted by cybercriminals and script kiddies, and this time it seems that one had found a way in. The good part is, we found him, the sad part, it fucking happened. But oh well, I tracked down some footprints that were left, and I was able to take some action.

On the 18th of December we noticed that the site had been breached – how we noticed this – we will not tell – but we will tell you about the indicators of compromise we found.

Weird user account In the WordPress CMS

During the search for indicators of compromise, I noticed that there was an account in the administrators group, an account which I did not add.

The account had the name ‘wp.service.controller.FmgKL’, now from my experience as a malware researcher, I know that malware takes advantage of regular expressions, and this section seems to be auto generated ‘wp.service.controller.FmgKL’, so the first thing I did, was search google for the username, and yup, there was an post on the google forums which stated that this user account is an indicator of compromise (next to the fact that it is unknown and it has administrator rights).

.htaccess was edited

The search continued, and we noticed that the .htaccess file in the WordPress folder had been changed. The .htaccess file now contained additional values, and one of those values directed towards a traffic distribution system.

You can view that line here;

RewriteRule ^$ hxxp://luxurytds[dot com]/go.php?sid=1 [R,L]

We have changed http to hxxp and changed .com to [dot com] just to be certain you do not accidently click it.

Folders were created

In the wordpress folder various folders were created, some of them are really suspicious, just take a look at the agr folder and the agr.zip file, same goes for gjl,dump, lvg, and then we have those .php files.

Each of those folders contained php files, template files and a massive list of malicious files.

What action did we take

As you can understand, we had to take some action.

  • We changed the passwords
  • We contacted google
  • We contacted our readers via Twitter, LinkedIn and Facebook
  • We performed a vulnerability scan
  • We reached out to various security professionals for tips
  • We cleaned the site
  • We published this post

What we are going to do

We are going to keep a close watch on the site.. And we have something special for the hacker when he comes back.

What you should do

  • Check if your WordPress site has the user wp.service.controller.[random chars],
  • Check your WordPress folder for ‘new’ folders and/or strange folders
  • Check the permissions of your users
  • Check if you have the latest updates and patches
Founder of Cyberwarzone.com.
  • 偶然来访,受益良多!

  • 增达网,看看笑话就有钱!每天收入无上限!

    收入途径:

    ①:坐等收钱,逆向网赚,上线替下线发展,不推广照样赚钱

    ②:浏览赚钱,每阅读一篇笑话就有钱,十万文章不限量观看

    ③:推广赚钱,主动推广的收入是不推广的十倍,赚钱更可观

    ④:广告提成,你的下线发布一次广告,你可得广告费的两成

    注册网址:

    http://www.zengda.xin/?ic=lbc

    无上线无法注册,请勿删除后缀!