You can also use the https://wpcerber.com/ free version, which is quite efficient.
1 Like
We still donāt know if OP has a WordPress problem or something else. Theyāre apparently not willing to say what actually happened.
2 Likes
I doubt they really know. The panic of having the sites down causes people to abandon a logical process in hopes of getting things fixed quickly and trying the simplest suggestions they are given in hopes of the quick fix.
This has nothing to do with this thread, open a new one with full details on what you are trying to achieve
3 Likes
Iām out for the next 2 Days but:
Is the system leaky
Depend what the dev who worked on your platform did. A malicious Dev can add a backdoor. But itās impossible for us to tell you anything about it. Only someone with full access to your source can (And considering the amount of time it could take, it will only be pay-full. It can take weeks/months to find a breach or a backdoor inside an application)
Still you reinstalled 6 servers in different locations (So 6 Roots/Admin Password ??!). You may try to set up a server independently of any other (and totally independent of your current cloudmin which manage the whole). If the hackers can still operate, itās shall narrow down to only 2 possibilities. Your platform have a backdoor or your home computer (Or anything else you used to connect to your servers/Cloudmin) is infected by a spyware (Donāt neglect this possibility).
Then if you gave so much power to the Cloudmin Admin account. Maybe It could also be a āman in the middleā attack. But 2 installations ā¦. a MITM seems odd (especially for 500ā¬) except if they was able to set it easily.
Still Cloudmin is irrelevant to the problem, if after a complete reinstallation of 6 servers the attackers can still perform what ever they want, according to me itās one of the 2 previous options I mentioned.
how did this happen
How could we say, we can only try to guess. We donāt have access to anything, not even some pictures ā¦. A picture of the mail you received asking you money can also give some clues, but it will not fix the problem
Still @ID10T Gave you some indication about where to start.
Iām not English, neither Polish, sorry if itās not clear.
Is what system leaky? Youāve given us no information that could help determine what happened or how.
Webmin (and Cloudmin) has no currently known exploits, and itās been a few years since weāve had known serious exploits. I donāt know much about the WordPress ecosystem except for the plugins we use, so I canāt say anything about what security issues might currently exist there. But, you havenāt given us any information to even help determine how your attacker got in and what they did.
So, I donāt know what weāre doing in this thread. We canāt solve anything with no information.
2 Likes
Sadly the ransom ware industry just gets more sophisticated. I knew decades back security was going to be a BIG career opportunity but I stopped looking into doing if further because I simply couldnāt think like these (fill in the blank with your favorite term here). It really is a mindset. I personally just couldnāt go down that rabbit hole.
Bottom line.
- Have backups and a good recovery plan.
- If possible send duplicate logs to another server.
- Get your customers taken care of.
- When the pressure is off, do the diagnostics.
Iām analyzing logs from one machine as to the attack, but I havenāt come to a solution yet
I have a lot of rules at the main router level and on individual servers.
Login is blocked only on designated IP addresses
To your wordpress sites as the topic title suggests, which would indicate that it would be attacked by a password holder or a breach of that password, but I guess you mean the administration side of the sites, so itās possible that a wordpress plugin has allowed an internet user to run some code as root. But to be fair your not telling us what happened, which means everyone is guessing as to how you were breached
Maybe you can share this logs and give us the list of IP which are not suspicious
Sorry Iām reading again and realised I missed it but you bought all of this (at least Sprzedaje.tv) from klbtheme.com ?
Donāt search further ! The problem probably come from here. Hire a competent dev and redo everything from scratch and it will be fine. The guy who sold you this gave you a site he can probably break over an over.
Checking deeper and we get: https://klbtheme.com/partdo/intro/ https://klbtheme.com/partdo/shop/
I donāt understand the threat you are writing about?
What I means is: you bought a Site/Template which is probably full of breach. A hacky site purposely made to be hacked.
So considering the enormous business you try to run. You would be better to hire a FullStack dev (maybe a whole team) from your country with who you can talk face to face. And redo the whole from scratch
You are throwing out some serious allegations here.
Things like this open up the forum to libel allegations and possibly legal ramifications. āprobablyā doesnāt cut it unless you can provide further evidence.
Itās one thing the accuse them of being sloppy, quite another to accuse them of illegal activity.
I just give my opinion. Based on my extremely long experience on site like klbtheme.com who pretend to sell wonder.
I have registered on so much āfreelancerā platform and talked with so much ādevā from Brazil to India, from China to Argentina ā¦
āDevā selling premade site are extremely common especially Wordpress. There are a lot of dirty Business making dirty money on this kind of platform. I just want to make sure @biuro3 realise he probably have been victim of it. I might be wrong, but I think Iām right. I donāt know a lot of people who really made money on WordPress (There are always story on internet telling some made Millions, but in reality we are usually far from it)
Again my opinion, I really say it nicely hoping to help, no madness here 
(And as said above he can also share the logs)
Yāall are going crazy off-topic here.
If OP wonāt give us any information about what actually happened, it is pointless to try to make up explanations based on no data.
The first page on this website, klbtheme.com, wasnāt attacked. Nothing happened to those domains, so I donāt consider this information to be accurate.
What happened was that malware was installed and started sending spam. Thatās why Iām writing about this because Iām surprised that only one page was attacked, but several, and several servers. Weāre still analyzing the vulnerability that caused several servers to be attacked. Iāll get back to you when we find anything.
Did you install a security plugin, something like wordfence?