Removing "UBH" WordPress hack

There have been recent reports of malware installed on WordPress sites by a group identifying as "UBH" or "United Bangladeshi Hackers".   This attack results in defacing the WordPress site, disabling most or all installed plugins, and installing a payload onto the website which is a phishing attack that attempts to collect login information posing as a legitimate login to a well-known utility or financial institution.      We have identified some commonalities among the exploits:

  • Always targets the first configured user of a WordPress installation.
  • First configured user is changed to username "hex" and password is changed to unknown string.
  • All legitimately installed plugins are disabled.
  • A new plugin is installed called "UBH CSU" which may allow shell access to the site (if allowed by server rules).

The exploit targets User #1 in a WordPress installation, since that is often-times the user responsible for the installation and administration of WordPress and therefore has full credentials.   Since the credentials are changed, it is impossible to log into the website's WordPress admin area.

The plugin that allows them to perform these actions is noted as "UBH CSU" and notes "upload shell and manage site or server using console :D, happy hacking ;) !"

To date, we have only seen this take place across cPanel servers.   We have not found this exploit to be successful on our BlueOnyx hosting network.   We believe this is due to the differing security measures in place.

We have found success in mitigating the damage caused by this exploit with the following steps:

  1. As a safety precaution, change the affected domain's cPanel user password.
  2. Using the affected domain's cPanel, navigate to WordPress Manger in the Applications section.
  3. If the impacted WordPress installation does not appear, click on Discover Sites to adopt the WordPress installation.
  4. Click "Manage" to the right of the domain name and directory.
  5. Click the "Admin" tab on the left and locate the "Hex" user.    That is the hacked user account.
  6. Click "Change User's Password" and generate a strong password to assign to the user account then click the "Change Password" button.  Be sure you have copied the new password you create because you will use it soon.
  7. Click on "Administration URL" to open a browser tab to the site's WP-ADMIN.
  8. Use the new credentials (username "hex" and the password you just assigned).
  9. In WordPress, navigate to "Users" and click "Add New" to create a new user account.
  10. Give the new user account a unique username and strong password (recommended to use the "generate password" function in WordPress) and save the new account.
  11. Log out of WordPress and then log back in using the new username and password you just created.
  12. Now that you're logged back in, navigate to "Users" and choose to DELETE the "hex" account.
  13. WordPress will ask "What should be done with content owned by this user?"    Select
  14. Navigate to Plugins and delete the "UBH CSU" plugin.   The WordPress site is
  15. Using FTP or the cPanel File Manager, locate and delete any directories which contain the phishing payload.    These are commonly found in the web's root, or in wp-admin/css/ and are typically seemingly-random strings of letters and number such as "Pc34" or "Tb23".
  16. In WordPress, re-enable any relavent plugins.

Your website should now be restored to functional and safe.   Depending on the state of your plugins, you may need to make adjustments to ensure full function.

As a good measure, it's a good idea to ensure that your WordPress installation is kept up-to-date.   Use the Updates function within WordPress to make sure your base WordPress version is the latest available and also update plugins and themes to current versions.

VIRTBIZ hosting customers can always reach out to Support for assistance.   Simply log in through the customer portal and open a new Support Ticket and our technicians will be happy to have a look for you.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

I think I am missing emails. Are they getting blocked?

Our e-mail servers are configured to use a variety of spam-blocking techniques. It is possible...

Email arrives that says it has been "disarmed"

The {disarmed} flag in the subject line of a filtered email indicates the system has located a...