Spam & Viruses
- Thread starter Learner
- Start date
Richard G
Verified User
I just visited the website.
This time my Malwarebytes warned and blocked access to cachewebspace.com and an ip address belonging to that. However, after that the website did load.
So I tried to determine if it was the website, or that cache site.
I can use either the ip address of cachewebspace.com or the domain name, but in both cases (so also main domain name) Malwarebytes hits with a trojan warning. So even without his website. Which lets me think it's this site causing the issue.
So imho it must be coming from that cache site. However he does not know where that is coming from.
He is using the Nitropack plugin, which is a cache plugin, but I don't know if that is using cachewebspace.com or where else this could be coming from. Fact is that this domain (cachewebspace) is only registered on the 17th last month.
Plugin is now disabled, but still mails are send, so the site may already have done his bad work on the website.
Wordfence is also in place and core files newly overwritten.
Maybe it's coming from a leak theme because the malware hit's directly at the main page already.
This time my Malwarebytes warned and blocked access to cachewebspace.com and an ip address belonging to that. However, after that the website did load.
So I tried to determine if it was the website, or that cache site.
I can use either the ip address of cachewebspace.com or the domain name, but in both cases (so also main domain name) Malwarebytes hits with a trojan warning. So even without his website. Which lets me think it's this site causing the issue.
So imho it must be coming from that cache site. However he does not know where that is coming from.
He is using the Nitropack plugin, which is a cache plugin, but I don't know if that is using cachewebspace.com or where else this could be coming from. Fact is that this domain (cachewebspace) is only registered on the 17th last month.
Plugin is now disabled, but still mails are send, so the site may already have done his bad work on the website.
Wordfence is also in place and core files newly overwritten.
Maybe it's coming from a leak theme because the malware hit's directly at the main page already.
Richard G
Verified User
Yes it just 1 site, happens a lot indeed. The core wp files were already overwritten with new ones, which is why I think it might be a leak theme if there are no other addons present.
He might be able to rebuild or use an older backup, but it's better to see exactly where it's coming from, for example by checking which script or plugin or whatever is sending the mails. So after restoration or rebuilding, this can be prevented to happen again in the future.
Malware analysis cachewebspace.com Malicious activity | ANY.RUN - Malware Sandbox Online
Online sandbox report for cachewebspace.com, verdict: Malicious activity
Indeed a malicious site
Important for everybody that uses wordpress
- Update regular
- Download a firewall like Wordfence
- Lockdown the uploads folder
- Make sure you cant upload php etc on your site
- Do vulnerability scans to see if you have known issues
- Use 2fa
- Change login path
- Dont use username admin
- Dont use a plugin? Remove it, not only deactivate
- NEVER USE NULLED PLUGINS / THEMES these have mostly backdoors
- And much more haha
Richard G
Verified User
Yep. Question is where is it coming from in his site. Since the cache plugin is disabled it must be one or more infected files, probably theme or plugin as this happens the most.
ftp download all files, run agent ransack for example to search in all the files for the url.
But most likely a core wordpress file that keeps getting code injected.
And the official plugin doesnt work with this domain.
NDSW/NDSX (SocGholish) has a new domain cachewebspace[.]com since Jan 15, 2023. https://urlscan.io/search/#cachewebspace.comAnd there is a new wave of NDSJ infections. Sucuri SiteCheck detections of this malware doubled this weekRe: https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html
Source:
But most likely a core wordpress file that keeps getting code injected.
And the official plugin doesnt work with this domain.
NDSW/NDSX (SocGholish) has a new domain cachewebspace[.]com since Jan 15, 2023. https://urlscan.io/search/#cachewebspace.comAnd there is a new wave of NDSJ infections. Sucuri SiteCheck detections of this malware doubled this weekRe: https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html
Source:
Learner
Verified User
- Joined
- Jul 13, 2023
- Messages
- 38
Malware analysis cachewebspace.com Malicious activity | ANY.RUN - Malware Sandbox Online
Online sandbox report for cachewebspace.com, verdict: Malicious activityany.run
Indeed a malicious site
Important for everybody that uses wordpress
- Update regular
- Download a firewall like Wordfence
- Lockdown the uploads folder
- Make sure you cant upload php etc on your site
- Do vulnerability scans to see if you have known issues
- Use 2fa
- Change login path
- Dont use username admin
- Dont use a plugin? Remove it, not only deactivate
- NEVER USE NULLED PLUGINS / THEMES these have mostly backdoors
- And much more haha
- Update everyday *mainly automatic
- Using WordFence
- File permissions on all files and folders
- No PHP also whenm use custom for small changes inside WP ?
- Trying to understand the vulnerability with WordFence and trying other ways
- Always doing special folder login
- Login path not any longer wp-admin
- Never admin
- All themes, plugins etc if not used is deleted
- Never ever nulled
Going to research the whole install...
Last edited:
Learner
Verified User
- Joined
- Jul 13, 2023
- Messages
- 38
Strange part is about emails, this is not from that site that is infected. The other site that keeps spamming is another site but that one seems totaly clean?
Richard G
Verified User
You really have to investigate via logs and mail queue manager. See if it's authenticate mail or php mail and if it's php mail you can find what is spamming.
Clamav and also Maldetect can nog always detect really everything, so still something can be infected.
So this is why you have to check the exim logs and mail queue for exactly where it's coming from, which script, or how it's done, so you can fix things. Needs to be done soon. Because if you get on more blacklists, like the MS one (maybe you already are) it can be hard to get of there if fixing things takes too long.
Learner
Verified User
- Joined
- Jul 13, 2023
- Messages
- 38
I'm on the black list of Gmail.
What would be the commands in Linux to check these logs ?
Or we're in the interface in the DirectAdmin I could find these ?
*
I've downloaded the whole site (the one with the virus) and scanned it with my virus scanner. There where like 202 trojan horses in it.
Probally a leaking plug-in from the company that hired another company that don't know how to write code. While the leak spreaded.
But that site is now 100% safe and did a lot of more safty measures to prevent as much as possible.
What would be the commands in Linux to check these logs ?
Or we're in the interface in the DirectAdmin I could find these ?
*
I've downloaded the whole site (the one with the virus) and scanned it with my virus scanner. There where like 202 trojan horses in it.
Probally a leaking plug-in from the company that hired another company that don't know how to write code. While the leak spreaded.
But that site is now 100% safe and did a lot of more safty measures to prevent as much as possible.
Last edited:
Richard G
Verified User
You can't find them in the DA interface, for the /var/log files you need to work via console.
You could as root go to /var/log/exim and use
less mainlog if you're on a RHEL based system at least.However, it might be better to ask or hire somebody to investigate for you if you don't know the linux basics.
OMG. That's a huge number.
If you think all is safe now, then the trick is to find out if the system still is sending mail. First remove all bad mails from your mailqueue, as this will keep trying to send for some time. So removing those is the first part.
And then monitor if more mail is send.
If not then you might be delisted, you might need to fill in a form, depending if Gmail did a temp block or definate block.
Learner
Verified User
- Joined
- Jul 13, 2023
- Messages
- 38
True, but was actualy more I scanned it in parts but the last when all was completed downloaded was 202 before a few times 20, 30 or 40 or so. So it was totally f..... (can´t think I can or may say that word).
I do know Linux just have to get more into it, I am learning so if I get the basic info I go Google as much as I can to understand it. But this was so strange and complex still is moreless had to ask. Thank you all for all the help you guys offering. Learned a lot !
Richard G
Verified User
Asking is never a bad thing. We're here to help.
And if you want to learn some more Linux, maybe it's an idea to use an old unused pc or install virtualbox on Windows and then you can use and play with Linux console. And if a mistake is made, no problem, remove, new installation, with VM that's very quick.
And then back to it.
For DA you can always over here, always welcome.
