Hacked - X-Sec Team


#1

Our website has been down for a few hours now.
White Screen of Death.

I have been trying to bring it back up, had to connect to the wp DB to reset password…

And after trying to fix my plugins and themes and all, I just noticed a folder called Xroot. I might be stupid but I don’t think that shit is supposed to be there. I started looking in it and it’s files and hmmm…

-_-
crap…

print "############################################\n";
print "         X-Sec Team      auto r00t          \n";
print "                 2005 - 2015                \n";
print "     _______  _______  _______ _________    \n";
print "    (  ____ )(  __   )(  __   )\__   __/    \n";
print "    | (    )|| (  )  || (  )  |   ) (       \n";
print "    | (____)|| | /   || | /   |   | |       \n";
print "    |     __)| (/ /) || (/ /) |   | |       \n";
print "    | (\ (   |   / | ||   / | |   | |       \n";
print "    | ) \ \__|  (__) ||  (__) |   | |       \n";
print "    |/   \__/(_______)(_______)   )_(       \n";
print "                                            \n";
print "			                                   \n";
print "		         		                       \n";
print "		  To root linux , perl $0 lnx          \n";
print "		  To root Bsd ,  perl $0 bsd           \n";
print "		  To root SunOS , perl $0 sunos        \n";
print "############################################\n";


if ($ARGV[0] =~ "lnx" )
{
print "###############################\n";
print "# Linux/Bsd/Sunos AUTO-ROOTER  #\n";
print "#                              #\n";
print "#        Have a coffe          #\n";
print "#                              #\n";
print "#       Rooting linux          #\n";
print "###############################\n";
........

I found no post on the forum mentioning Xroot or X-Sec Team hacking.

Dreamhost admins, if you want to see the content, I will wait an hour before I start deleting it all and changing our passwords.

For now I will beging archiving the files I find.

cheers

-Matt


#2

Is it a wordpress ? I read that they are so easy to hack ?


#3

Yes it is.
I cleaned up the files. Reinstalled the theme and plugins,
Upgraded the passwords to strong passwords, because they were 8char alpha num.

I will also remove the admin login shortly and replace with a redomized username.

What I wonder, is
1-What was that root kit doing.
2-How where they able to upload it to the website root
3-Where was the exact point of failure. WP admin or DB admin?

I have logs from a russian IP making tons of random GET queries.
I am not sure if they were able to use the wrdpress admin pass or able to dump the WP config file and gain DB admin access.


#4

You didn’t install the wordpress plugins made to protect your website ?


#5

Which plugins do you propose?
Could you elaborate?
Thank you.

And as for the files that were uploaded to our website with a X-Sec comment, here is more info provided by the security team of Dreamhost:

So the hacker did played around with our website and take it down, by his attempt to install a rootkit failed.


#6

I highly recommend Wordfence:


In its free configuration, it does an excellent job of scanning for malicious changes/additions and can help clean up a site. It also protects against brute force attacks. I installed it after a site got hacked. I have no affiliation with Wordfence, other than being an extremely satisfied customer.


#7

Thank you very much for taking the time to share this info.

I will start looking into it at once.

-Matt


#8

I use a Wordpress plugin called “All in One WordPress Security and Firewall”. https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin

Seems to help in locking down my site.


#9

Thank you Mike,
I already installed WordFence, but I will also take a look at this one too.


#10

If you submit a ticket, you can ask DH’s security team to look into your account for other hacked files for free.


#11

Yes: hacked.
I googled around a bit and found this “X-Sec Team” YouTube channel with visual tutorials.
Includes DarkComet examples and various script kiddie hacks for Wordpress + other platforms.

Definitely report to Dreamhost Security.