Hacked By An0n 3xPloiTeR, 8B0K3N H34R7, Team Pak Cyber Ghosts: Cyber Hack Forensic Examination

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

This hack suspended the hosting account and the web site as a malware infected account. The hack set up a malware attack for anyone who visited the site, specifically targeting Windows. I am still trying to figure out how they got in, This is a Pakistani-based attack, or so their message says. I’ll try to document as much as I can to help others in the same situation.

The host provider froze the account, the WordPress site was taken down until I was able to clean up. The host provider then did a clean scan and we were back up. The site seems to not be damaged, but it did greatly concern the owner.

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G]

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], dialog box 1

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], dialog box 1

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], dialog box 2

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], dialog box 2

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1, Pakistan-Zindabad.html

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1, Pakistan-Zindabad.html

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 2, Pakistan-Zindabad.html

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 2, Pakistan-Zindabad.html

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 3, Pakistan-Zindabad.html

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 3, Pakistan-Zindabad.html

Here is the code for Pakistan-Zindabad.html:

<!Doctype html>
  <html>
    <head>
      <script>alert("Hacked By An0n 3xPloiTeR");</script>
      <script>alert("Team Pak Cyber Ghosts [P.C.G]");</script>
      <title> Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 </title>
    </head>

    <body bgcolor="black">
      <center><br><br><br><br>
      <font size="30" color="red" face="calibri"> Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 </font><br>
      <font size="30" color="red" face="calibri"> Team Pak Cyber Ghosts [P.C.G]</font><iframe src="https://www.youtube.com/embed/nPGIdTAeOSg?rel=0&autoplay=1&loop=1&playlist=nPGIdTAeOSg" allowfullscreen="" frameborder="0" height="0" width="0"></iframe><body bgcolor="black"><center><script language="JavaScript1.2">function ejs_nodroit(){alert(' Pakistan Zindabad <3 ');return(false);}document.oncontextmenu = ejs_nodroit;</script><br><br><font size="5" color="white" face="calibri"> Pakistan Zindabad  <quee></font><br></center>
    </body;/font><br><br><br><font size="5" color="white" face="calibri"> Greetz ~
    <marquee width="80%"># Shariq Maik | # Prinxe Haxi | # An0n 3xPloiTeR | # Unknown | # Wahab Hacker | # Rizi Haxor | # 8R0K3N H34R7 | # CYB3R71 | # 3htisham | # And All Muslims</mar>
  </html>

The accompanying music is a iframe set to zero, so it will not display, and a link to a Youtube video “Aye Watan Pyare Watan PAK Watan” by Ustad Amanat Ali Khan. Translation help from Google

اے وطن، پیارے وطن، پاک وطن، پاک وطن
اے میرے پیارے وطن
اے وطن پیارے وطن
O homeland, dear country, patriotism, patriotism
O my beloved
O my beloved homeland
تجھ سے ہے میری تمناؤں کی دنیا پرنور
عزم میرا قوی، میرے ارادے ہیں غیور
میری ہستی میں انا ہے، میری مستی میں شعور
جاں فزا میرا تخیل ہے تو شیریں ہے سخن
اے میرے پیارے وطن
You are from the world of my dreams
My determination is my strength, my intentions
I am in love with you, my consciousness
If you have any imagination, then I will be happy
O my beloved
اے وطن، پیارے وطن، پاک وطن، پاک وطن
اے میرے پیارے وطن
اے وطن پیارے وطن
O homeland, dear country, patriotism, patriotism
O my beloved
O my beloved homeland
تو دل افروز بہاروں کا تر و تازہ چمن
تو مہکتے ہوئے پھولوں کا سہانا گلشن
تو نواریز انا دل کا بہاری مسکن
رنگ و آہنگ سے معمور ترے کوہ و دمن
اے میرے پیارے وطن
So, the heartfelt flames of heartfelt spring
So you have to spend the flowering flowers
So, Anna, the daughter-in-law of the novice
Exterior to color compassion
O my beloved
اے وطن، پیارے وطن، پاک وطن، پاک وطن
اے میرے پیارے وطن
اے وطن پیارے وطن
O homeland, dear country, patriotism, patriotism
O my beloved
O my beloved homeland
میرا دل تیری محبت کا ہے جاں بخش دیار
میرا سینا تیری حرمت کا ہے سنگین حصار
میرے محبوب وطن تجھ پہ اگر جاں ہو نثار
میں یہ سمجھوں گا ٹھکانے لگا سرمایہ تن
اے میرے پیارے وطن
My heart is of love for you
My love is a great part of your honesty
Nisar, if my beloved homeland is on you
I would understand that the investor would have stayed
O my beloved
اے وطن، پیارے وطن، پاک وطن، پاک وطن
اے میرے پیارے وطن
اے وطن پیارے وطن
O homeland, dear country, patriotism, patriotism
O my beloved
O my beloved homeland

Infected Files:
Directories:

Commission
elements
id
images
pee
PRO
pro
r3w
r3w_config
sym
tmpl

Files in public_html

1484309152.php
amylucas.txt
an.php
ananazne.txt
apollog2.txt
asecondm.txt
clearpb4.txt
cp6.php
humaniv2.txt
ihungitu.txt
islandk2.txt
jpchoice.txt
kojotene.txt
ml.php
obf.php
obf.php
Pakistan_Zindabad.html
pantseat.txt
pixelau0.txt
plecosco.txt
saywhatd.txt
secretd4.txt
shell-mix.php
tomandm2.txt
toor.php
toservet.txt
traynedb.txt
wp-admin/includes/Mlslisting/validate.php
wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php
wp-includes/ID3/module.audio-video.quicktime.php
x.php

Some Messages in the files

spyrusss.php SPY US V0.1 CRACKER CPANEL CRACKER
skullcp.php cPanel Cracker | Pak Cyber SKULLZ, pakcyberskull@gmail.com
mass.php WordPress Mass Deface By An0n 3xPloiTeR
cp6.php Obfuscation provided by FOPO – Free Online PHP Obfuscator: http://www.fopo.com.ar/
an.php Albanian Hackers
ak.php Config Killer | Dar3wz
Pakistan_Zindabad.html Hacked By An0n 3xPloiTeR Team Pak Cyber Ghosts [P.C.G] Hacked By An0n 3xPloiTeR And 8B0K3N H34R7
Team Pak Cyber Ghosts [P.C.G] Pakistan Zindabad # Shariq Maik | # Prinxe Haxi | # An0n 3xPloiTeR | # Unknown | # Wahab Hacker | # Rizi Haxor | # 8R0K3N H34R7 | # CYB3R71 | # 3htisham | # And All Muslims
validate.php kingolivercoopers@gmail.com

Here are the IP addresses Involved, searched with IBM X-Force

52.10.88.182 Amazon Technologies US
77.29.208.126 MT-ADSL MK Republic of Macedonia Macedonia
81.171.81.79 Mudhook Marketing Amsterdam NL Netherlands
83.229.17.146 SkyVision Network Services BF Burkino-Faso Burkino-Faso
103.15.233.132 Vodien Internet Solutions Pte Ltd SG Singapore Risk 2.9 spam
103.15.233.133 Vodien Internet Solutions Pte Ltd SG Singapore
105.0.233.24 NEOTEL ZA South Africa South Africa
105.13.62.11 CELLC ZA South Africa malware
154.118.68.203 Spectranet NG Nigeria Risk 5.7 spam malware
161.132.96.1 Red Cientifica Peruana PE Peru
178.175.22.105 PTK Telekomi i Kosovës AL Albania Albania Risk 5.7 spam
185.61.137.173 BLAZINGFAST-20140620 NL Netherlands
185.188.216.63 AL-NPSHISP-20170206 AL Albania
195.211.23.206 RU-NETBRIDGE-PI-20130606 RU Russia Risk 5.7 bots
197.211.63.144 Globacom Limited NG Nigeria Nigeria Risk 10 spam malware
198.50.128.202 OVH Risk 4.3 bots
198.54.113.88 NAMEC-4 Namecheap CA
200.219.247.172 GRAAL BANCO IBI S.A. Br Brazil Risk 5.7 spam
200.219.247.175 GRAAL BANCO IBI S.A. Br Brazil
213.174.123.194 Hub One SA Fr France

Most Common User Agents
Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0 176
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 43
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 23
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0 19
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 13

Banning “20100101” would account for 68% of the UAs. Banning “62.0.3202.94” would account for another 23%. These UA’s however, are specific to this hack and are easily changed.

Cleaning

  1. Gain FTP access
  2. Have host do a scan and report of all suspect files
  3. Examine and remove all suspect files
  4. Have host do a final scan and unfreeze account
  5. Check site for damage
  6. Change passwords
  7. Reinstall WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *