I write this post just to know if someone has had this problem:
I have some sites that offer UHB (United Hackers Bangladesh) attack.
The PHP version on does sites ware mainly 5.6 (but also one site with 7.0 has been attacked).
They upload some files to the server on Plugins>Update folder and rename all users to admin and set new passwords.
I have noticed that sites with Wordpress installed on a subfolder wasn’t affected.
For now, I have updated PHP and all plugins and refine wordfence options.
Anyone have been attacked this way? Do you know how they attack? Is it Wordpress or PHP vulnerability.
Hi Raul, sorry to hear that your sites got attacked.
I have never seen this kind of attack nor anyone else reported it. Have you check with your host support if they can trace in server access logs what was the vulnerable point that got exploited?
They only tell me what I already know. The attack started here (on the plugin they upload):
[18/Apr/2020:14:02:47 +0100] “POST /wp-content/plugins/Update/wp-blog.php?path=/home/xxxx/public_html/wp-content HTTP/1.1” 200 2612 “http://xxxx.xx/wp-content/plugins/Update/wp-blog.php?path=/home/xxxx/public_html/wp-content” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 OPR/67.0.3575.137”
In the wp-blog.php file they could upload other php files
Strange, I would expect more details… Have you tried to scan your site with the Wordfence plugin to see if there any other files infected and get the list of all newly created/uploaded files?
Sharing this list might help other users recognize the same problem.
now I have clean all sites and change Wordfence settings and update all sites php to latest version. I will be on eye for now. If I detect another attack I will report a new topic with more details.
Thank you for your attention.
What plugin is/was in the ‘Update’ folder or was that created by the compromise ?
That would indicate a scripted attack which only looks for the ‘root’ of the website for the WP install.
What server platform are you using, is it CPanel ? Your service provider should have CXS/CSF installed which should block that activity. Assuming that it is not being accessed through a known account/password within the Wordpress install.
“Update” was the name of the plugin created and uploaded by the hacker. If you make a short search on google by “Bangladesh United Hackers” you will find how they act.
But I still not find the vulnerability on my sites
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.