Hacked By An0n 3xPloiTeR, 8B0K3N H34R7, Team Pak Cyber Ghosts: Cyber Hack Forensic Examination

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

This hack suspended the hosting account and the web site as a malware infected account. The hack set up a malware attack for anyone who visited the site, specifically targeting Windows. I am still trying to figure out how they got in, This is a Pakistani-based attack, or so their message says. I’ll try to document as much as I can to help others in the same situation.

The host provider froze the account, the WordPress site was taken down until I was able to clean up. The host provider then did a clean scan and we were back up. The site seems to not be damaged, but it did greatly concern the owner.

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G]

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], dialog box 1

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], dialog box 2

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1, Pakistan-Zindabad.html

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 2, Pakistan-Zindabad.html

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 3, Pakistan-Zindabad.html

Here is the code for Pakistan-Zindabad.html:

<!Doctype html>
  <html>
    <head>
      <script>alert("Hacked By An0n 3xPloiTeR");</script>
      <script>alert("Team Pak Cyber Ghosts [P.C.G]");</script>
      <title> Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 </title>
    </head>

    <body bgcolor="black">
      <center><br><br><br><br>
      <font size="30" color="red" face="calibri"> Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 </font><br>
      <font size="30" color="red" face="calibri"> Team Pak Cyber Ghosts [P.C.G]</font><iframe src="https://www.youtube.com/embed/nPGIdTAeOSg?rel=0&autoplay=1&loop=1&playlist=nPGIdTAeOSg" allowfullscreen="" frameborder="0" height="0" width="0"></iframe><body bgcolor="black"><center><script language="JavaScript1.2">function ejs_nodroit(){alert(' Pakistan Zindabad <3 ');return(false);}document.oncontextmenu = ejs_nodroit;</script><br><br><font size="5" color="white" face="calibri"> Pakistan Zindabad  <quee></font><br></center>
    </body;/font><br><br><br><font size="5" color="white" face="calibri"> Greetz ~
    <marquee width="80%"># Shariq Maik | # Prinxe Haxi | # An0n 3xPloiTeR | # Unknown | # Wahab Hacker | # Rizi Haxor | # 8R0K3N H34R7 | # CYB3R71 | # 3htisham | # And All Muslims</mar>
  </html>

The accompanying music is a iframe set to zero, so it will not display, and a link to a Youtube video “Aye Watan Pyare Watan PAK Watan” by Ustad Amanat Ali Khan. Translation help from Google

اے وطن، پیارے وطن، پاک وطن، پاک وطن اے میرے پیارے وطن اے وطن پیارے وطن	O homeland, dear country, patriotism, patriotism O my beloved O my beloved homeland
تجھ سے ہے میری تمناؤں کی دنیا پرنور عزم میرا قوی، میرے ارادے ہیں غیور میری ہستی میں انا ہے، میری مستی میں شعور جاں فزا میرا تخیل ہے تو شیریں ہے سخن اے میرے پیارے وطن	You are from the world of my dreams My determination is my strength, my intentions I am in love with you, my consciousness If you have any imagination, then I will be happy O my beloved
اے وطن، پیارے وطن، پاک وطن، پاک وطن اے میرے پیارے وطن اے وطن پیارے وطن	O homeland, dear country, patriotism, patriotism O my beloved O my beloved homeland
تو دل افروز بہاروں کا تر و تازہ چمن تو مہکتے ہوئے پھولوں کا سہانا گلشن تو نواریز انا دل کا بہاری مسکن رنگ و آہنگ سے معمور ترے کوہ و دمن اے میرے پیارے وطن	So, the heartfelt flames of heartfelt spring So you have to spend the flowering flowers So, Anna, the daughter-in-law of the novice Exterior to color compassion O my beloved
اے وطن، پیارے وطن، پاک وطن، پاک وطن اے میرے پیارے وطن اے وطن پیارے وطن	O homeland, dear country, patriotism, patriotism O my beloved O my beloved homeland
میرا دل تیری محبت کا ہے جاں بخش دیار میرا سینا تیری حرمت کا ہے سنگین حصار میرے محبوب وطن تجھ پہ اگر جاں ہو نثار میں یہ سمجھوں گا ٹھکانے لگا سرمایہ تن اے میرے پیارے وطن	My heart is of love for you My love is a great part of your honesty Nisar, if my beloved homeland is on you I would understand that the investor would have stayed O my beloved
اے وطن، پیارے وطن، پاک وطن، پاک وطن اے میرے پیارے وطن اے وطن پیارے وطن	O homeland, dear country, patriotism, patriotism O my beloved O my beloved homeland

Infected Files:
Directories:

Commission
elements
id
images
pee
PRO
pro
r3w
r3w_config
sym
tmpl

Files in public_html

1484309152.php
amylucas.txt
an.php
ananazne.txt
apollog2.txt
asecondm.txt
clearpb4.txt
cp6.php
humaniv2.txt
ihungitu.txt
islandk2.txt
jpchoice.txt
kojotene.txt
ml.php
obf.php
obf.php
Pakistan_Zindabad.html
pantseat.txt
pixelau0.txt
plecosco.txt
saywhatd.txt
secretd4.txt
shell-mix.php
tomandm2.txt
toor.php
toservet.txt
traynedb.txt
wp-admin/includes/Mlslisting/validate.php
wp-content/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php
wp-includes/ID3/module.audio-video.quicktime.php
x.php

Some Messages in the files

spyrusss.php SPY US V0.1 CRACKER CPANEL CRACKER
skullcp.php cPanel Cracker | Pak Cyber SKULLZ, pakcyberskull@gmail.com
mass.php WordPress Mass Deface By An0n 3xPloiTeR
cp6.php Obfuscation provided by FOPO – Free Online PHP Obfuscator: http://www.fopo.com.ar/
an.php Albanian Hackers
ak.php Config Killer | Dar3wz
Pakistan_Zindabad.html Hacked By An0n 3xPloiTeR Team Pak Cyber Ghosts [P.C.G] Hacked By An0n 3xPloiTeR And 8B0K3N H34R7
Team Pak Cyber Ghosts [P.C.G] Pakistan Zindabad # Shariq Maik | # Prinxe Haxi | # An0n 3xPloiTeR | # Unknown | # Wahab Hacker | # Rizi Haxor | # 8R0K3N H34R7 | # CYB3R71 | # 3htisham | # And All Muslims
validate.php kingolivercoopers@gmail.com

Here are the IP addresses Involved, searched with IBM X-Force

52.10.88.182 Amazon Technologies US
77.29.208.126 MT-ADSL MK Republic of Macedonia Macedonia
81.171.81.79 Mudhook Marketing Amsterdam NL Netherlands
83.229.17.146 SkyVision Network Services BF Burkino-Faso Burkino-Faso
103.15.233.132 Vodien Internet Solutions Pte Ltd SG Singapore Risk 2.9 spam
103.15.233.133 Vodien Internet Solutions Pte Ltd SG Singapore
105.0.233.24 NEOTEL ZA South Africa South Africa
105.13.62.11 CELLC ZA South Africa malware
154.118.68.203 Spectranet NG Nigeria Risk 5.7 spam malware
161.132.96.1 Red Cientifica Peruana PE Peru
178.175.22.105 PTK Telekomi i Kosovës AL Albania Albania Risk 5.7 spam
185.61.137.173 BLAZINGFAST-20140620 NL Netherlands
185.188.216.63 AL-NPSHISP-20170206 AL Albania
195.211.23.206 RU-NETBRIDGE-PI-20130606 RU Russia Risk 5.7 bots
197.211.63.144 Globacom Limited NG Nigeria Nigeria Risk 10 spam malware
198.50.128.202 OVH Risk 4.3 bots
198.54.113.88 NAMEC-4 Namecheap CA
200.219.247.172 GRAAL BANCO IBI S.A. Br Brazil Risk 5.7 spam
200.219.247.175 GRAAL BANCO IBI S.A. Br Brazil
213.174.123.194 Hub One SA Fr France

Most Common User Agents
Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0 176
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 43
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 23
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0 19
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 13

Banning “20100101” would account for 68% of the UAs. Banning “62.0.3202.94” would account for another 23%. These UA’s however, are specific to this hack and are easily changed.

Cleaning

Gain FTP access
Have host do a scan and report of all suspect files
Examine and remove all suspect files
Have host do a final scan and unfreeze account
Check site for damage
Change passwords
Reinstall WordPress

Related posts:

Leave a Reply Cancel reply