See: http://killmalware.com/wordpress-themes.us/#
As always defacement not detected on VT: https://www.virustotal.com/en-gb/url/c05fb265e9fec4c47364c91c391b5fcf70a7f4a5142a4a50c85e90fa40e879d8/analysis/1434984812/
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01
Hacked By nXu
WordPress Version
3.8.8
Version does not appear to be latest 4.2.2 - update now.
How the hack was being performed, probably via Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.
/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
See source: http://fetch.scritch.org/%2Bfetch/?url=+http%3A%2F%2Fwordpress-themes.us&useragent=Fetch+useragent&accept_encoding=
Defacement Check:
Suspicion of Defacement
atilxrdk/s36/12.gif"> hacked by nxu html,body{margin:0;padding:0;}#t…
Site-wide check: suspicious
gnc8iauovy2lgqi5g2-ctosa7fxq">hacked by nxu
The hack code was found to reside at: htxp://5.172.198.110/cgi-sys/defaultwebpage.cgi
[ + ] 1n73ct10n Shell V3.3 [ + ] (-> http://paste.security-portal.cz/view/67ff0644 )
wXw.medisales.gr/system/injek.php?y=/…
Translate this page
Via cgi-sys and img-sys for defaultwebpage.cgi via go.cpanelnet/cleardns.cache
webmaster@PC etc. That is how this is being performed.
FILE##_index_defaultpage.html 0 0 0 1 1 0 0 0 -1 0 0 0 0 0 1
FILE##IP_changed.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0
FILE##server_misconfigured.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0
FILE##server_moved.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0
FILE##powered_by_cpanel.png 0 0 0 0 1 0 0 0 -1 0 0 0 0 0 0
polonus (volunteer website security analyst and website error-hunter)
Here my good friends we see how Avast could detect this for
Such patterns could be detected, a noble task for the new HIPS!
Moreover read this advice here: https://blog.avast.com/2014/11/21/how-to-change-your-router-dns-settings-and-avoid-hijacking/ (info credits go to LISANDRO CARMONA ).
pol