There is no escape from it, each day the site is targeted by cybercriminals and script kiddies, and this time it seems that one had found a way in. The good part is, we found him, the sad part, it fucking happened. But oh well, I tracked down some footprints that were left, and I was able to take some action.
On the 18th of December we noticed that the site had been breached – how we noticed this – we will not tell – but we will tell you about the indicators of compromise we found.
Weird user account In the WordPress CMS
During the search for indicators of compromise, I noticed that there was an account in the administrators group, an account which I did not add.
The account had the name ‘wp.service.controller.FmgKL’, now from my experience as a malware researcher, I know that malware takes advantage of regular expressions, and this section seems to be auto generated ‘wp.service.controller.FmgKL’, so the first thing I did, was search google for the username, and yup, there was an post on the google forums which stated that this user account is an indicator of compromise (next to the fact that it is unknown and it has administrator rights).
.htaccess was edited
The search continued, and we noticed that the .htaccess file in the WordPress folder had been changed. The .htaccess file now contained additional values, and one of those values directed towards a traffic distribution system.
You can view that line here;
RewriteRule ^$ hxxp://luxurytds[dot com]/go.php?sid=1 [R,L]