Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the copy-the-code domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the pb-seo-friendly-images domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the johannes domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121
SH4LL AAF_Xploiter - PC✗3
SH4LL AAF_Xploiter

SH4LL AAF_Xploiter

chrome Yibr4IgoiI 1024x517 - SH4LL AAF_Xploiter

The shell contains an interesting feature that records each action performed by the script and sends to the attacker the IP address from which the request originates, as well as the file path.

So we can see all the pages that were viewed or modified from these email messages:

cPanel Track Delivery
cPanel Track Delivery

Because these emails failed, they were returned to the default cPanel account, allowing us to log in and check the emails:

image 6 1 - SH4LL AAF_Xploiter

We can get a list of all pages visited from these emails and sort them into two groups:

1. Files that are owned by the user and attacker could have modified them

/home/XXXX/XXXXXXXX/.wp-cli
/home/XXXX/XXXXXXXX/wp-content/themes/twentytwenty/assets/js
/home/XXXX/XXXXXXXX/wp-content/themes/twentytwenty/assets/images
/home/XXXX/XXXXXXXX/wp-content/themes/twentytwenty/assets/fonts
/home/XXXX/XXXXXXXX/wp-content/themes/twentytwenty/assets/css
/home/XXXX/tmp/webalizerftp
/home/XXXX/tmp/webalizer
/home/XXXX/tmp/pma_template_compiles_XXXX
/home/XXXX/tmp/awstats
/home/XXXX/tmp/analog
/home/XXXX/XXXXXXXX/wp-content/uploads
/home/XXXX/XXXXXXXX/wp-content/upgrade
/home/XXXX/XXXXXXXX/wp-content/themes
/home/XXXX/XXXXXXXX/wp-content/plugins
/home/XXXX/XXXXXXXX/wp-content/mu-plugins
/home/XXXX/XXXXXXXX/wp-content/maintenance
/home/XXXX/XXXXXXXX/wp-content/languages
/home/XXXX/XXXXXXXX/wp-content/maintenance/assets/images
/home/XXXX/XXXXXXXX/wp-content/maintenance/assets/fonts
/home/XXXX/.cagefs/var/spool
/home/XXXX/.cagefs/var/run
/home/XXXX/.cagefs/var/php
/home/XXXX/.cagefs/var/log
/home/XXXX/.cagefs/var/cpanel
/home/XXXX/.cagefs/var/cache
/home/XXXX/XXXXXXXX/.wp-cli/cache/core
/var/cpanel/userdata/XXXX

2. Files owned by root that should never be modified by a user.

/usr/src/litespeed-wp-plugin
/var/tmp/alfacgiapi
/var/php/apm
/opt/suphp/sbin
/opt/plesk/php
/opt/imunify360/lib
/opt/MegaRAID/MegaCli
/var/run/sepermit
/var/run/screen
/var/run/postgresql
/var/lib/spamassassin/compiled
/var/lib/spamassassin/3.004004
/var/lib/spamassassin/3.004003
/var/lib/spamassassin/3.004002
/var/lib/net-snmp/mib_indexes
/var/lib/net-snmp/cert_indexes
/var/lib/proxyexec/cagefs.sock
/var/cpanel/php/sessions
/dev/shm/lsws
/var/run/nscd
/var/run/net-snmp
/var/run/faillock
/var/run/dbus
/var/run/console
/var/run/cagefs
/usr/libexec/utempter
/usr/libexec/openssh
/usr/libexec/openldap
/usr/libexec/mc
/usr/libexec/git-core
/usr/libexec/getconf
/usr/libexec/gcc
/usr/libexec/dovecot
/usr/libexec/coreutils
/usr/libexec/awk
/proc/net
/proc/sys
/proc/self
/proc/80931
/proc/171912
/opt/suphp
/opt/rh
/opt/liblve
/opt/cloudlinux-linksafe
/opt/cloudlinux
/opt/app-version-detector

And check if any of these files owned by root have exposed sensitive information or even got is modified by an attacker.

In my case, all edit attempts were blocked, but other information that could potentially be misused such as service and PHP settings was exposed.

If you come across this malware, be sure to check all of the paths above and completely clean your WordPress website as explained in: How to clean up a hacked WordPress site (Complete Guide)


Source code:

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.