Two unowned/unknown sites appear on MY SITES

Hi
I have got a serious security breach either related to my account on WPMU and/or a DNS hack of some sort or host malware or something. In WPMU MY WEBSITES a domain which I don't own has appeared" 'productfund.info.' When I looked this up with a whois about 2 hours ago when I first noticed it i got:

Domain : productfund.io
Status : Live
Expiry : 2016-10-22

NS 1 : ns-845.awsdns-41.net
NS 2 : ns-59.awsdns-07.com
NS 3 : ns-1972.awsdns-54.co.uk
NS 4 : ns-1227.awsdns-25.org

Owner Name : Jonathan Sharratt
Owner Addr : Whois Protege / Obfuscated whois, Gandi, 63-65 boulevard Massena
Owner Addr : Paris
Owner Addr : FR

Check for 'productfund.ac' --- http://www.nic.ac/go/whois/productfund.ac
Check for 'productfund.sh' --- http://www.nic.sh/go/whois/productfund.sh

Now if I repeat the whois I get 'NOT FOUND'. Furthermore, the domain name has been completely released to general sale. Whereas 2 hours ago entering productfund.info into a browser would redirect to my production site it no longer does.

Then when I go to raise this issue and originally was going to file it under account/billing enquiry I got a drop down for the site selection that included 'test3.pospr.war.pl'. It no longer exists as a registered domain, but presumably, at some point in the past, you identified it as a site which I owned. So although I doubt if this is a hack of my WPMU account it would help me to track down what the earth is going on it I could understand how you extrapolate this list of websites. I certainly didn't enter them all so you must do some kind of reverse domain lookup...what do you look up, on though. Is based on a lookup of domains associated with the IP of the site I installed WPMU dashboard on. Is it looking up against my personal email address or name. It's important that I understand your query because if it's based on my personal details then I've got a potential identity theft issue, if it's just on my IP Address then maybe it's just someone playing around with hacking nameservers. In which case in this instance I wouldn't I know who to raise an issue with. There's nothing to prevent anyone registering a domain and pointing it at my static production IP? What's the motivation? Are they using it as a proxy server fo launch some other attack? I have no idea?

Your prompt response it appreciated,

Phil

  • Rupok

    Hi Phil, hope you had a wonderful day.

    First thing I'll suggest you to do is - closing registration - both site and user registration. Then install any security plugin on your site. We have a very powerful plugin "WP Defender" which will help you in securing your site from attackers.

    Then you should contact your host for server log to check - from which IP addresses your site was accessed. If your DNS server is compromised, company who are hosting your DNS can give you better idea.

    If you are assuming you WPMU DEV account is compromised, can you immediately change your password and monitor your site for further changes?

    I'm looking forward to hear from you and resolve this issue as soon as possible.

    Have a nice day. Cheers!
    Rupok

  • Phil

    1) I am paying $50 a month for this service which is more than I pay for ALL my other Word0ress third-party services/products COMBINED including my hosting. WPMU has an excellent reputation and while I expect the nature of this query is somewhat outside of the scope of your expertise I do expect you to reply PROMPTLY and FULLY to simple queries about your account service and your plugins. I am clearly worried about this because it smells like something that's originated either from some host based malware , is a prelude to exploiting a vulnerability on my box to use as a proxy for a wider attack, or its a simple random phishing attack? This is NOT as issue about name server hacking ..anyone can set up a DNS entry to point to anywhere... the point is what is the motivation behind it. It is hacking or just a mistake? What possible advantage could be gained from routing a rapidly registered then deregistered name pointing to my server.

    Your 365x7 Helpdesk service appears, sadly, to be equivalent to every other Wordpress Community/product provider in that it seeks to filter out the dumb questions, provide 'stock answers and simply ignore anything that would require them to escalate it to senior technical support. I know $50 a month may not enterprise bucks but it's my largest outlay on the project and you've not met my expectations. You don't you even have a way of the client categorizing the impact/severity/urgency of the support request? |I know you're not in the business of providing 'production support' but clearly in order for me to resolve this potential security threat I need your assistance to answer a very simple question about how you derive your MY SITE LIST.

    Checking my server logs... well I have Fail2 ban analyzing them and jailing repeated bot attempts @ brute force mindless attacks on known vulnerabilities. But a DNS forwarding will not show up in my server logs - I'm not kidding when I first googled one of these phantom domains every one of the in the Google Page 1 Top 10 search results pointed at my site. Maybe it was a bit free PR or someone demonstrating how a wizard SEO can manipulate the google ranking algorithm.

    In addition, I might say, your advice to run the Defender Plugin (which I have used before and looks on the surface to be a mature and professionally developed product) hung at 50% scan completion for 4 hours before I canceled it. It MUST output a lot somewhere but certainly I can't see any setting in the Plugin and a grep of the WordPress debug.log yield nothing on search string 'Defender'.

    I'm not asking you to debug this - I'm asking point be in the right direction so I can debug it myself. If I don't

    I've lost too much time venting in the mail. If I don't receive a response within 2 hours I will escalet this - even if it b=mans smaming every executive in you leadership team.

    Kind regards,

    Phil

  • Kasia Swiderska

    Hello Phil,

    I'm terribly sorry for the delay on our end. I'm subscribing to this thread so I will get mail notification when you post here.

    It would help if you could address my original query regarding how you derive the 'MY SITES' list in the first place?

    When you install WPMU DEV Dashboard plugin and then log in to it with your WPMU DEV account credentials then site is registered here and shows up on MY SITES list.
    Please go here https://premium.wpmudev.org/hub/account/ and reset your API key - this way you will be logged out from all websites where your account was used.

    I've look in our system this site productfund.io and it has our plugins (including new ones) and themes installed - so it looks like someone is using that site with your account details.

    Please reset your API key and change your password to WPMU DEV account.
    Is it possible that some could gain access to your old website where you had installed WPMU DEV Dashboard plugin?

    kind regards,
    Kasia

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.