Databases of a few accounts keep on getting hacked

P

PeterN123

Active Member
Aug 4, 2021
35
5
8
Australia
cPanel Access Level
Root Administrator
Hello everyone,

Quite a few accounts on my server was compromised, the admin username are changed to Anonyous_fox_xxx.

I managed to revert all of those back to the original version, but the hacks keep on coming back. (all WP sites)

I think the hack is not ROOT compromised, because only Google indexed sites are hacked, the rest seems to be fine.

Any pointers/ logs to look at to see where the vulneribility coming from? No files change from the recent hacks, so that is quite odd.

Thanks everyone
 
Q

quietFinn

Well-Known Member
Feb 4, 2006
2,024
542
493
Finland
cPanel Access Level
Root Administrator
Did you change cPanel password for those accounts?

Did you check that WP admin email is correct for those WP installations?

Did you run ImunifyAV scan in those accounts?
 
  • Like
Reactions: cPanelAnthony
P

PeterN123

Active Member
Aug 4, 2021
35
5
8
Australia
cPanel Access Level
Root Administrator
quietFinn said:
Did you change cPanel password for those accounts?

Did you check that WP admin email is correct for those WP installations?

Did you run ImunifyAV scan in those accounts?
Click to expand...
Hello Finn, yes I already did all that and got hacked again.

I restored everything and move half of the accounts to another brand new server to see how it goes.

On the new server, I notice I received a lot of these errors () with referrer as Anonymousfox.co:

Code: 
[Thu Jan 06 14:51:45.811587 2022] [authz_core:error] [pid 18073] [client 172.70.230.10:63290] AH01630: client denied by server configuration: */public_html/wp-includes/css/wp-config.php, referer: anonymousfox.co
[Thu Jan 06 14:51:47.030887 2022] [authz_core:error] [pid 17024] [client 172.70.230.70:13002] AH01630: client denied by server configuration: */public_html/wp-includes/css/wp-config.php, referer: anonymousfox.co
[Thu Jan 06 14:53:16.630880 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Warning. Match of "rx ^0?$" against "REQUEST_HEADERS:content-length" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "143"] [id "920170"] [rev "1"] [msg "GET or HEAD Request with Body Content."] [data "29"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [hostname "www.***.com.au"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
[Thu Jan 06 14:53:16.630940 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "368"] [id "920340"] [rev "3"] [msg "Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "www.***.com.au"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
[Thu Jan 06 14:53:16.631210 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 7)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.***.com.au"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
[Thu Jan 06 14:53:16.962893 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 7 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request Containing Content, but Missing Content-Type header"] [tag "event-correlation"] [hostname "www.***.com.au"] [uri "/cgi-sys/ea-php74/index.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
any pointers of where the vulneribility is?
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
Spirogg Hello I have a few Questions regarding SSL Hostname Security 8
Flegy cPanel + pfSense = few weird problems Security 3
D cPanel Monitoring - Many services down every few minutes Security 4
postcd Mysql databases deleted and also Wordpress wp-config.php files Security 4
000 Connection to PostgreSQL databases Security 0
Similar threads
Hello I have a few Questions regarding SSL Hostname
cPanel + pfSense = few weird problems
cPanel Monitoring - Many services down every few minutes
Mysql databases deleted and also Wordpress wp-config.php files
Connection to PostgreSQL databases
Top Bottom