Hacked - X-Sec Team

Our website has been down for a few hours now.
White Screen of Death.

I have been trying to bring it back up, had to connect to the wp DB to reset password…

And after trying to fix my plugins and themes and all, I just noticed a folder called Xroot. I might be stupid but I don’t think that shit is supposed to be there. I started looking in it and it’s files and hmmm…

-_-
crap…

print "############################################\n";
print "         X-Sec Team      auto r00t          \n";
print "                 2005 - 2015                \n";
print "     _______  _______  _______ _________    \n";
print "    (  ____ )(  __   )(  __   )\__   __/    \n";
print "    | (    )|| (  )  || (  )  |   ) (       \n";
print "    | (____)|| | /   || | /   |   | |       \n";
print "    |     __)| (/ /) || (/ /) |   | |       \n";
print "    | (\ (   |   / | ||   / | |   | |       \n";
print "    | ) \ \__|  (__) ||  (__) |   | |       \n";
print "    |/   \__/(_______)(_______)   )_(       \n";
print "                                            \n";
print "			                                   \n";
print "		         		                       \n";
print "		  To root linux , perl $0 lnx          \n";
print "		  To root Bsd ,  perl $0 bsd           \n";
print "		  To root SunOS , perl $0 sunos        \n";
print "############################################\n";


if ($ARGV[0] =~ "lnx" )
{
print "###############################\n";
print "# Linux/Bsd/Sunos AUTO-ROOTER  #\n";
print "#                              #\n";
print "#        Have a coffe          #\n";
print "#                              #\n";
print "#       Rooting linux          #\n";
print "###############################\n";
........

I found no post on the forum mentioning Xroot or X-Sec Team hacking.

Dreamhost admins, if you want to see the content, I will wait an hour before I start deleting it all and changing our passwords.

For now I will beging archiving the files I find.

cheers

-Matt

Is it a wordpress ? I read that they are so easy to hack ?

Yes it is.
I cleaned up the files. Reinstalled the theme and plugins,
Upgraded the passwords to strong passwords, because they were 8char alpha num.

I will also remove the admin login shortly and replace with a redomized username.

What I wonder, is
1-What was that root kit doing.
2-How where they able to upload it to the website root
3-Where was the exact point of failure. WP admin or DB admin?

I have logs from a russian IP making tons of random GET queries.
I am not sure if they were able to use the wrdpress admin pass or able to dump the WP config file and gain DB admin access.

You didn’t install the wordpress plugins made to protect your website ?

Which plugins do you propose?
Could you elaborate?
Thank you.

And as for the files that were uploaded to our website with a X-Sec comment, here is more info provided by the security team of Dreamhost:

So the hacker did played around with our website and take it down, by his attempt to install a rootkit failed.

I highly recommend Wordfence:


In its free configuration, it does an excellent job of scanning for malicious changes/additions and can help clean up a site. It also protects against brute force attacks. I installed it after a site got hacked. I have no affiliation with Wordfence, other than being an extremely satisfied customer.

Thank you very much for taking the time to share this info.

I will start looking into it at once.

-Matt

I use a Wordpress plugin called “All in One WordPress Security and Firewall”. https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin

Seems to help in locking down my site.

Thank you Mike,
I already installed WordFence, but I will also take a look at this one too.

If you submit a ticket, you can ask DH’s security team to look into your account for other hacked files for free.

Yes: hacked.
I googled around a bit and found this “X-Sec Team” YouTube channel with visual tutorials.
Includes DarkComet examples and various script kiddie hacks for Wordpress + other platforms.

Definitely report to Dreamhost Security.