Databases of a few accounts keep on getting hacked

PeterN123

Active Member
Aug 4, 2021
34
5
8
Australia
cPanel Access Level
Root Administrator
Hello everyone,

Quite a few accounts on my server was compromised, the admin username are changed to Anonyous_fox_xxx.

I managed to revert all of those back to the original version, but the hacks keep on coming back. (all WP sites)

I think the hack is not ROOT compromised, because only Google indexed sites are hacked, the rest seems to be fine.

Any pointers/ logs to look at to see where the vulneribility coming from? No files change from the recent hacks, so that is quite odd.

Thanks everyone
 

quietFinn

Well-Known Member
Feb 4, 2006
1,649
323
438
Finland
cPanel Access Level
Root Administrator
Did you change cPanel password for those accounts?

Did you check that WP admin email is correct for those WP installations?

Did you run ImunifyAV scan in those accounts?
 
  • Like
Reactions: cPanelAnthony

PeterN123

Active Member
Aug 4, 2021
34
5
8
Australia
cPanel Access Level
Root Administrator
Did you change cPanel password for those accounts?

Did you check that WP admin email is correct for those WP installations?

Did you run ImunifyAV scan in those accounts?
Hello Finn, yes I already did all that and got hacked again.

I restored everything and move half of the accounts to another brand new server to see how it goes.

On the new server, I notice I received a lot of these errors () with referrer as Anonymousfox.co:

Code:
[Thu Jan 06 14:51:45.811587 2022] [authz_core:error] [pid 18073] [client 172.70.230.10:63290] AH01630: client denied by server configuration: */public_html/wp-includes/css/wp-config.php, referer: anonymousfox.co
[Thu Jan 06 14:51:47.030887 2022] [authz_core:error] [pid 17024] [client 172.70.230.70:13002] AH01630: client denied by server configuration: */public_html/wp-includes/css/wp-config.php, referer: anonymousfox.co
[Thu Jan 06 14:53:16.630880 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Warning. Match of "rx ^0?$" against "REQUEST_HEADERS:content-length" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "143"] [id "920170"] [rev "1"] [msg "GET or HEAD Request with Body Content."] [data "29"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [hostname "www.***.com.au"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
[Thu Jan 06 14:53:16.630940 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "368"] [id "920340"] [rev "3"] [msg "Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [hostname "www.***.com.au"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
[Thu Jan 06 14:53:16.631210 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 7)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.***.com.au"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
[Thu Jan 06 14:53:16.962893 2022] [:error] [pid 18549] [client 172.70.114.92:30584] [client 172.70.114.92] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 7 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request Containing Content, but Missing Content-Type header"] [tag "event-correlation"] [hostname "www.***.com.au"] [uri "/cgi-sys/ea-php74/index.php"] [unique_id "YdZnrHlcDO7irSseJGVO4wAAAA4"], referer: anonymousfox.co
any pointers of where the vulneribility is?