Redirect from wordpress to cPanel (hack)

by user2879896   Last Updated April 16, 2018 22:04 PM

so my site has recently been hacked. As I understand it, someone got into the wordpress backend, redirected to cPanel, created a subdomain to host a phishing site and several email accounts for spam mail, while keeping the site itself (mostly) unharmed to not draw attention. I don't have much experience and never worried about security, but going through the logs really changed my mind. So if anyone of you could point out what exactly happend there I would be really glad.

First I noticed lots of requests to wp-login.php and xmlrpc.php on 03.03. (about 10.00 each from about 5000 different Ipsenter image description hereBut as far as I can tell nothing bad happened there.

On 21.03. I found these log entries (changed the domain name). First the login to wp-admin:

197.15.200.163  -   -   [21/Mar/2018:14:55:47   +0100]  GET /wp-login.php HTTP/1.1  200 3513    -
197.15.200.163  -   -   [21/Mar/2018:14:55:48   +0100]  GET /wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.8.5 HTTP/1.1  200 38765   http://example.com/wp-login.php
197.15.200.163  -   -   [21/Mar/2018:14:55:49   +0100]  GET /wp-admin/images/wordpress-logo.svg?ver=20131107 HTTP/1.1   200 1521    http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.8.5
197.15.200.163  -   -   [21/Mar/2018:14:55:50   +0100]  GET /wp-content/uploads/2017/05/cropped-final-32x32.png HTTP/1.1    200 2923    http://example.com/wp-login.php
197.15.200.163  -   -   [21/Mar/2018:14:55:50   +0100]  GET /wp-content/uploads/2017/05/cropped-final-192x192.png HTTP/1.1  200 33632   http://example.com/wp-login.php
197.15.200.163  -   -   [21/Mar/2018:14:55:50   +0100]  POST /wp-admin/admin-ajax.php HTTP/1.1  200 37  http://example.com/wp-login.php
197.15.200.163  -   -   [21/Mar/2018:14:55:52   +0100]  POST /wp-login.php HTTP/1.1 302 -   http://example.com/wp-login.php
197.15.200.163  -   -   [21/Mar/2018:14:55:56   +0100]  GET /wp-includes/js/thickbox/thickbox.css?ver=4.8.5 HTTP/1.1    200 2655    http://example.com/wp-admin/

Then after editing the 404.php he redirects to the cPanel:

197.15.200.163  -   -   [21/Mar/2018:14:56:09   +0100]  GET /wp-admin/theme-editor.php?file=404.php&theme=rachelbaker-bootstrapwp-Twitter-Bootstrap-for-WordPress-0c06b68 HTTP/1.1  200 41807   http://example.com/wp-admin/theme-editor.php
197.15.200.163  -   -   [21/Mar/2018:14:56:12   +0100]  POST /wp-admin/theme-editor.php HTTP/1.1    302 -   http://example.com/wp-admin/theme-editor.php?file=404.php&theme=rachelbaker-bootstrapwp-Twitter-Bootstrap-for-WordPress-0c06b68
197.15.200.163  -   -   [21/Mar/2018:14:56:13   +0100]  GET /wp-admin/theme-editor.php?file=404.php&theme=rachelbaker-bootstrapwp-Twitter-Bootstrap-for-WordPress-0c06b68&scrollto=4806&updated=true HTTP/1.1   200 54743   http://example.com/wp-admin/theme-editor.php?file=404.php&theme=rachelbaker-bootstrapwp-Twitter-Bootstrap-for-WordPress-0c06b68
197.15.200.163  -   -   [21/Mar/2018:14:56:18   +0100]  GET /404 HTTP/1.1   404 29714   -
197.15.200.163  -   -   [21/Mar/2018:14:56:18   +0100]  GET /favicon.ico HTTP/1.1   200 -   http://example.com/404
197.15.200.163  -   -   [21/Mar/2018:14:56:19   +0100]  GET /404?path=/home/example HTTP/1.1    404 27252   http://example.com/404
197.15.200.163  -   -   [21/Mar/2018:14:56:20   +0100]  GET /favicon.ico HTTP/1.1   200 -   http://example.com/404?path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:24   +0100]  POST /404?option&path=/home/example HTTP/1.1    404 2041    http://example.com/404?path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:25   +0100]  GET /favicon.ico HTTP/1.1   200 -   http://example.com/404?option&path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:28   +0100]  POST /404?option&path=/home/example HTTP/1.1    404 2090    http://example.com/404?option&path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:29   +0100]  GET /favicon.ico HTTP/1.1   200 -   http://example.com/404?option&path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:30   +0100]  GET /404?path=/home/example HTTP/1.1    404 27253   http://example.com/404?option&path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:30   +0100]  GET /favicon.ico HTTP/1.1   200 -   http://example.com/404?path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:31   +0100]  GET /404?path=/home/example/.cpanel HTTP/1.1    404 44565   http://example.com/404?path=/home/example
197.15.200.163  -   -   [21/Mar/2018:14:56:32   +0100]  GET /favicon.ico HTTP/1.1   200 -   http://example.com/404?path=/home/example/.cpanel
197.15.200.163  -   -   [21/Mar/2018:14:56:33   +0100]  POST /404?option&path=/home/example/.cpanel HTTP/1.1    404 43730   http://example.com/404?path=/home/example/.cpanel
197.15.200.163  -   -   [21/Mar/2018:14:56:34   +0100]  GET /favicon.ico HTTP/1.1   200 -   http://example.com/404?option&path=/home/example/.cpanel
197.15.200.163  -   -   [21/Mar/2018:14:56:36   +0100]  GET /cpanel HTTP/1.1    200 33908   -
197.15.200.163  -   -   [21/Mar/2018:17:21:41   +0100]  GET / HTTP/1.1  301 -   -
197.15.200.163  -   -   [21/Mar/2018:17:21:50   +0100]  GET / HTTP/1.1  301 -   -

First thing I don't get is how he got into the backend. The password was pretty strong so I dont think it was cracked on the attack from 03.03. (even if, why wait over two weeks?) Secondly and most important: is it normal that a wordpress admin is able to access the cPanel like that? Shouldn't this be a completly different login?



Related Questions





Indexing Japanese links after hack

Updated May 12, 2017 08:04 AM