WordPress hack plugin GroupDocs

One of my wordpress blogs got hacked.  I was notified by google

I was apprehensive about accessing the site from my computer so i checked it out from my smartphone.  I figured most current malware attempts to download and install on windows systems, but are usually not smart enough to infect two different platforms (windows AND android).  The site seemed fine, but I am sure there is something wrong.  So I logged into the server.  The dates look a little suspcious but I the actual php files looked find.

I noticed a pattern with the dates that the files were access.  I am seeing scores of files/folders that have been “touched” and have the same date/time stamp Nov 22, 2015 12:00.  You only see that many files changed at once when a script does it.  I focused on those files and I can see that MOST of the Nov 22 1200 date/time stamps are on ONE plugin:   plugin GroupDocs.  I look at the error log:

INFO Started brute forcing.

INFO checking: drinkmusiccity.com, david, david
INFO checking: farmofpeace.com, salima, salima
INFO checking: fayjames.com, fay, fay
INFO checking: fantasyassembly.com, kevin-j, kevin-j
INFO checking: fionaraven.com, fiona, fiona
INFO checking: fishinglakes.com, Colby, Colby
INFO checking: firetown.com, firetown, firetown
INFO checking: fontainetours.com, claudia, claudia
INFO checking: foreverboundadoption.org, designteam, designteam
INFO checking: fotoparisberlin.com, amelie, amelie
INFO checking: frabonisdeli.com, bennett-fraboni, bennett-fraboni
INFO checking: freeloveforum.com, anne, anne
INFO checking: funkatech.com, incyte, incyte
INFO checking: futurist.com, brenda-cooper, brenda-cooper
INFO checking: futebolnas4linhas.com, ingrid-carvalho, ingrid-carvalho
INFO checking: freedomnewton.com, pastorc, pastorc
INFO checking: k-bell.co.jp, kohei, kohei
INFO checking: katrinakaif.co.uk, harish, harish
INFO checking: kcfw.de, c-mohr, c-mohr
INFO checking: kazu.co.nz, staff, staff
INFO checking: keneally.com, samcniotktaetl, samcniotktaetl
INFO checking: keratoconus.com.au, jim, jim
INFO checking: fundacjadantian.com, fundacjadantian, fundacjadantian
INFO checking: kibi-group.com, kibi, kibi

I look up the plugin GroupDocs.  I has had a MAJOR compromise:


It is being used as a backdoor into WordPress.  Honestly, I don’t remember even installing it.  I am not sure if it came with the theme I installed or what.  I start checking all more other blog’s plugins.  I don’t see it any where else.  Upon further inspection of the plugin, I can clearly see the PHP backdoor code:

sending: {
  "type" : "WPBF_RESPONSE",
  "linkPasses" : [
      "site" : "farmofpeace.com",
      "user" : "salima",
      "pass" : "salima"

      "site" : "i-entertainment.co.uk",
      "user" : "nicolai2014",
      "pass" : "nicolai2014"

      "site" : "020haopai.com",
      "user" : "siteadmin",
      "pass" : "siteadmin"

      "site" : "zargarcarpet.com",
      "user" : "akeel",
      "pass" : "akeel"

      "site" : "haubstadtsommerfest.com",
      "user" : "joeyconti",
      "pass" : "joeyconti"

Starting brute forcing WordPress
CURRENT TIME: 2015-11-20 15:47:06
CURRENT TIME: 2015-11-20 15:47:37
CURRENT TIME: 2015-11-20 15:48:08
CURRENT TIME: 2015-11-20 15:48:39
Child dead. Reading response: 
Done. read: 0 bytes

The Fix Action:

Warning fake google chrome update

**Sent from a subscriber**

I was surfing the Internet and I found following bad link: http://www.1zoom.net/ Cities /wallpaper/306150/z904/


As I was trying to move my cursor to get out of the site, another tab popped up saying that I must update my google chrome.  I closed it.  internet-fraud-2

I tried opening the tabs once more with the website to confirm if my suspicion was right.  It led me to another tab that was asking me to download a software in my toolbar.  I have not taken the screenshot on that one.  I went back to my computer history to search for that specific link and it was not there anymore.  A warning of a virus appeared in my screen. That is really scary. Always be cautious and careful while browsing online.


Reporting mail fraud : Corporate Controllers Unit

Years ago, I started a small business under a corporation for my websites. mail-fraud I received a letter twice from “Corporate Controllers Unit”. They were charging us $225.00 charges for annual corporate fees.  Just a few minutes of research revealed that this is a scam.

The letter threatens that if you don’t pay “Delinquent” but at the end of the letter they state that do not represent any branches of the government:

“This product or service has not been approved or endorsed by any Government Agency and this offer is not being made by an agency of the Government. U.S.C.39.6.3001(d). This is a solicitation for the order of services, and not a bill, invoice , or a statement of acocunt due. You are under no obligation to make any payments on account of this offer.”mail-fraud

shipping.com Extra Fee

Months ago, I was doing some shopping in burlingtoncoatfactory.com. They had a sale and had so many items with quality. I finally decided to give a try and ordered a dress. I paid $32.00 for it.

Just like any other purchase, during check out, I had place my credit card information, shipping address and billing information.  I placed the order, paid it and I got my order confirmation.  After that, I seen this message saying the order qualifies for a cash back! This SOUNDS good, but when you take a closer look there is a not so hidden fee.










So I clicked on the link that says Cash back and it took me to another page.  So I signed up for a cash back and I had put my personal information sent to “shipping.com”.

I checked my mail to see if there was anything about the “cash back”.  I got suspicious when nothing came.  I went to google to find a review about the $15.00 cash back by shipping.com.   I realized that they are going to charge me monthly and has a 30 day trial period.  I was not aware of it because it does not say anything like that while you are signing up or maybe that is in very small print.

I immediately went back to shipping.com and cancelled it.

I don’t think that the shipping.com “cash back” deal is necessarily is a scam, but I think they should be more transparent about the monthly charge.

Mbayi Ambo Visa Scam Facebook groups

Scam Alert!

Mbayi Ambo is offering members of facebook group a passport for $150.00. For $150 dollars she claims that she can get an exemptions from the medical at St Lukes AND exemption from appearing of the US embassy interview.


This is not possible. It is a scam for sure. Even if you get a fake visa/passport and bypass the medical and Interview, the US Customs Border Protection requires a package that you can only get from the Embassy.

One thing to keep in mind is that it sounds too good to be true, it probably is. ALWAYS double check and verify all offers and information you get online.. including the information on this group.

She claims that she is from New York but her profile says Ontario,Canada. She is also using fake photos in her profile in Facebook.


Fw: Re: Payment Fax *scam*

Be careful with this message. Similar messages were used to steal people’s personal information. Unless you trust the sender, don’t click links or reply with personal information.
from: Pennapa <Pennapa@126.net>
date: Tue, Jun 30, 2015 at 9:58 AM
subject: Fw: Re: Payment Fax
Hope you are fine,
a payment we transferred to your account, has returned to our account due to incorrect details as informed by our bank.Please can you check the attached fax we received from our bank and correct the error, so that we can transfer the payment again.Best regards,
Ms. Pennapa | Director
Yancheng Xingtai Equipment Co.,Ltd.
Xingtai Industrial Group.
No. 29, Xindu Western Rd, Yancheng, Jiangsu, P.R.China 224001
Tel: +86-515-8869 2222 | Direct-line +86-515-6997 9993
Fax: +86-515-6997 9992 | Phone +86-187 0511 8932

This letter came with an attachment document saying ”SWIFT,pdf.z.
Yuri bruce

instagram scammer

An instagram scammer attempted to rip people off using the stolen identification of “Yuri Sincero”.  She managed to get money from someone and attempted to scam someone else.  The name she used to retrieve the money was Denise Manlutac at 156 Brgy. Balibago 1st, Tarlac City, Tarlac, Philippines.  If this person tries to get money from you, don’t do it.

Reporting internet fraud- virus

Me and my husband were browsing through websites on flippa. We were planning to buy a cooking site as a new website but did not want to  build all the information from scatch. As we were browsing, we found a cooking site for sale that is under bidding. We contacted the seller and ask for how much is the final price he is asking for his website.  It sounded like a great deal for us and we were interested in buying.reporting-internet-fraud However, the website or hosting service had a pop up that looked like malware.  The popup would not allow you to get out of the website without shutting down the browser.  We told the seller about this malicious popup. He insisted that it was the hosting service. We tried to go there many times to scan the articles if any of it is original. Not that there is no unique content and all copied, but  everytime we attempted of browsing the website the pop up and at one point we had to restart the computer. Needless to say we did not buy the website.


The virus voice says:

Important Security Message. Call the Number provided as soon as possible. You will be guided for the removal of the adware spyware virus on your computer. Seeing this Pop-ups means that you have a virus installed on your computer which puts the security of your personal data at a serious risk.  It is strongly advice that you call the number provided and get your computer fix before you do any shopping online.


Zillow Craigslist Security Deposit Scam


There is a scam going around on real estate/rental sites such as Zillow and Craigslist where a renter offers and awesome place in your area for a really great rental price.

You contact them via their ad and then they tell you that you are accepted!  All you need to do is fill out the documents and send them the security deposit.  There are a couple of issues with this:  It is a scam.

How can you tell?  There are a couple of ways to verify that it is a scam:

Search their phone number.  Their phone number is linked to another scam they did.

Here is an exmaple.  This number “205-319-1346” is linked to a scam on Zillow and a known scam on Craigslist:

$900 / 3br – 1569ft2 – This Gorgeous 3 bedroom, 2 bedroom home (Dallas, TX)

Reported on: Thursday, 26 March, 2015  05:41 Updated On: Thursday, 26 March, 2015  05:42 Reply to: (Not Shown)

Craigslist Post: “This Gorgeous 3 bedroom, 2 bedroom home has been completely professionally remodeled and is practically brand new form the ground up! Move right in with Granite and hardwood floors throughout! NEW kitchen, NEW utility room, NEW Plumbing, NEW AC and more”We replied to the and were contacted back by Charles Fenske. He claims to own the house and is renting it while living across the country. He is requesting payment by money order only. He sent us a lease to sign immediately with very little information and requested us to send $900 for first months payment and $900 as a deposit.This house is also listed on Zillow. We contacted the realtor associated with the house, and he confirmed this posting is a scam! The house was already being leased to someone else. We also located the deed of the house and it is not owned by Charles.

House for rent address: 3490 Timberview Rd Dallas TX 75229

craigslist scam report

From Zillow:

On Tue, Apr 28, 2015 at 2:46 PM


Thanks for your email and your interest in this property, I personally own the house, I want my property to be well taken good care of, and there are some rules and regulation in which I do give out to tenant willing to rent my house so please don’t disrespect my order But if you are interested in renting this home, the rules and the regulations goes this way, the surroundings most be well taking care of, you must know the way in which you use the stove so as to avoid fire outbreak,so we are renting it out since we need someone to take good care of the property on our absent. Don’t be surprise if you find the home with another site with deference price, I have plan to rent it through Real estate agent before, but they are not serious simply because they have a lot of house to lease out And they added some money to the rent while there commission is not fair.
Attn : The rent and Utilities are intact such as Dishwasher,Dryer, Electric Stove, Fridge, Washer,Air Condition,Sewage,Trash,all included in the monthly rent,as i am in a governmental programmer that sponsors my utilities on monthly basis etc.
Please note that, we are a kind and honest family, that spent a lot on property that is available for rent, so in one accord, we are soliciting for your absolute maintenance of this house and want you to treat it as your own, We want you to keep it tidy all the time so we would be glad to see it whenever we are around on a visit.
1) Your Full Name
2A) Home Phone ?
2B) Cell Phone Number ?
3) Your current address :
4) How old are you?
5a) Are you married?
5b) How many people will be living in the house?
6a) Do you have a pet?
6b) What type
7a) Do you have a car?
7b) What type? Occupation?
9) Do you smoke?
10) Do you Drink ?
11) Do you work at Night ?
12) What is your monthly income?
13) Reference Contact Name and Address?
14) When do you intend Moving in?
15) private email :
16) Picture of you and your family
17 ) When can you pay for your deposit to secure or move in?
Let me know the amount you have right now to secure the home prior your move in, the payment will be send to me or my attorney that will be issue the lease paper work, again if you which to see some pictures of the inside i will more than happy to provide them as soon as i can.
Notice : You can go ahead and do a walk through the property its empty now and the move in is ready anytime, Text me immediately you fill out the application Looking forward to hear from you with all this details so that we can have it our file in case of issuing the receipt for you and contacting you..
Await your prompt reply so that we can discuss on the rental terms and agreement, please we are renting the house to you base on trust and again i will want you to stick to your words. We will appreciate your absolute care of this home.
Number of Bedrooms: 3, Number of baths: 2, Well trained Pets are welcome!!! Rent: $1000 Refundable security Deposit: $1000 Total move in : $2000 House Address:<home address
Please call me if you have any question or text as i will not be able to meet with you before everything is finalize, if you have any question regarding this do not hesitate to ask when you text 205-319-1346
Thank you
Below are examples of fraudulent emails received by Zillow users.


“I’m out of the country and need you to wire me the deposit.”

How the scam works: You find a great rental (it’s usually too good to be true), but the landlord is located out of state or out of the country. They’ll rent it to you and mail you the keys if you just send a deposit.

Tip: Don’t wire money to anyone you haven’t met in person. If it looks like a great deal and is too good to be true, it’s likely a scam. You will lose your money, and the place you were looking at isn’t really even on the market.

Example email:

Thanks for your email and interest in renting my house.
Property is available for move in at the moment for $1250 for the month rent and $1200 for the security deposit (Refundable After Lease period , As long as there are no damages on property after inspection). For immediate move in you would be required to make a total payment of $2450 but if you are not moving in Immediately, you would be required to make a down payment of $1200 for the security deposit Non- negotiable, to hold property till desired move in date.
Unfortunately, I would not be present in person to show you the property due to my recent job transfer to London, UK, and I do not have a local representative to show the house due to my transfer so if you are interested in renting the property and willing to work with me despite my absence then I would email the necessary papers for the lease to you, for necessary endorsement.
I also want to tell you that the neighborhood is secured and the people staying there are good.
Details of the house is below;
Rent: $1250.
Security Deposit: $1200
3 Bedrooms, 1.75 Bathroom.
Single-Family Home.
Location: Kirkland WA 98033.
Street Address: 12721 Northeast 101st Place.
Pets Allowed: Cats and Dogs.
Size: 1,800 sqft.
Home available for immediate move in.
This is a charming home in Kirkland.
Lovely move in ready 3 bedroom, 1.75 bath, rambler, located on quiet cul-de-sac. Approx. 1800 sq ft., built in 1989. Bright and airy interior that has been beautifully updated and well-maintained.
Exterior Sun Blockers roll-shutters for max insulation & security.
Other features include security system, built-in vacuum system and skylights. High quality throughout. Neutral colors. Master suite with private bath and two walk in closets. Spacious kitchen with tons of oak cabinets and all appliances (refrig, range, microwave). Very light and open, Washer and dryer included. 2-car attached garage with opener.
Yard service included and home is pet friendly!
Mark A Ross.

1 2 3 4 65