How Hackers Exploited Stored Passwords to Infect Web Hosting Servers

Listen to this Post

Featured Image
A company managing customer websites was hacked, leading to all hosted websites being infected with malicious web shells. Despite repeated deletions, new shells kept appearing. The company eventually stopped renewing hosting plans, unable to continue operations.

Initial Suspicion: Website vulnerabilities.

Reality: The hosting admin’s PC was infected with info-stealer malware. The admin stored all passwords (including hosting manager and SSH credentials) in Google Keep, which hackers accessed to upload persistent web shells.

You Should Know: How to Prevent & Mitigate Such Attacks

1. Secure Password Storage & Management

  • Use a Password Manager: Tools like Bitwarden, KeePassXC, or 1Password encrypt credentials.
  • Enable 2FA Everywhere: Especially for hosting, SSH, and critical accounts.
  • Avoid Browser-Based Notes: Never store passwords in Google Keep, Notes, or plaintext files.

2. Detect & Remove Web Shells

Common web shells (php, jsp, asp) can be detected using:

 Linux: Find suspicious PHP files modified recently 
find /var/www/html -type f -name ".php" -mtime -7 -exec ls -la {} \;

Windows: Search for encoded or obfuscated scripts 
Get-ChildItem -Path C:\inetpub\wwwroot -Recurse -Include .aspx,.php,.jsp | 
Where-Object { $_ -match "eval|base64_decode|shell_exec" } 

3. Harden SSH Access

  • Disable Password Logins: Use SSH keys only.
    Edit SSH config 
    sudo nano /etc/ssh/sshd_config 
    Set: 
    PasswordAuthentication no 
    PermitRootLogin no 
    
  • Monitor SSH Logs for Bruteforce:
    sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr 
    

4. Check for Info-Stealer Infections

  • Linux: Scan for suspicious processes:
    ps aux | grep -E "curl|wget|nc|ncat|socat|bash -i" 
    
  • Windows: Check unusual outbound connections:
    netstat -ano | findstr ESTABLISHED 
    

5. Automate Malware Scans

  • Linux (ClamAV):
    sudo apt install clamav 
    sudo freshclam 
    sudo clamscan -r /var/www --remove=yes 
    
  • Windows (MSE):
    Start-MpScan -ScanType FullScan 
    

What Undercode Say

This attack highlights credential mismanagement as a critical failure. Storing passwords in unsecured notes and lacking SSH key enforcement allowed hackers persistent access. Companies must:
– Enforce password managers + 2FA
– Regularly audit logs (/var/log/secure, Event Viewer)
– Isolate admin workstations (Zero Trust)
– Use endpoint protection (CrowdStrike, OpenEDR)

Prediction

Future attacks will increasingly target password managers & cloud note apps (Evernote, OneNote). Hackers will use AI-driven phishing to bypass 2FA.

Expected Output:

  • Detected web shells removed
  • SSH keys enforced, passwords disabled
  • Admin systems scanned & cleaned
  • Employee security training implemented

(No URLs provided as the original post didn’t include direct references.)

References:

Reported By: Mamun Infosec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram