-
Services
-
Cybersecurity Consulting
Systematic exploration of a scenario to assess and prescribe solutions.
-
Ransomware Protection
Building up resilience and stratification to mitigate malicious attacks.
-
Risk Management
Thorough investigation of a scenario to assess threats and plan actions to address them.
-
Incident Response
Managing the mitigation of damages and assisting in repair in worst case scenarios.
-
Vulnerability Remediation
Properly and cautiously scanning, confirming and resolving found issues.
-
Managed Security Services
Delivering full-time consulting, monitoring, scanning, repair, incident response and more.
-
Penetration Testing
Proactively probing and stressing systems to find deeper vulnerabilities
-
Systems Hardening
Step by step assessing and improving configurations in devices, networks and systems
-
Advanced Web Applications
Feature rich development of custom programs delivering rich functionality.
-
Mobile Apps & Games
Custom apps using modern platforms for iOS, Android or using Progressive Web Apps
-
E-Commerce
High performance online marketplaces converting to sales and profits.
-
Outsourced Development
Utilize our team as an extension of your own as an in-house internal expansion
-
Corporate Websites
Professional presentations that display companies' strengths in style.
-
Custom Software
Not just for the web - applications for beyond the browser and on to desktops and devices
-
Custom CMS Systems
Based on our SD7 Hypersecure CMS delivering performance, security and ease of use.
-
Video Production
Pre and Post Production video planning, editing, special effects, voiceover and more.
-
3D Animation
Make digital objects come alive with objects made to move and react in space.
-
Virtual Reality
Immersive experiences in three dimensional space to amaze users and engage them like never before.
-
Search Engine Optimization
Achieving top ranking results for our clients over many years in all search engines in China and globally.
-
Marketing Materials Design
From brochures, logos, banners, advertisements and more we design it all for the web.
-
Print and Offline Media
Billboards, shirts, products, vehicle wraps, pop up banners and stands, interior shop designs etc.
-
Malware Credentials Hack in Client WordPress Website
Complete and Thorough Service to Bounce Back from a Malware Attack
The client came to us with a big problem - they could no longer log into their WordPress account, their credentials were no longer working. The client's environment was not under regular maintenance by us, so it was necessary to backtrack through an extended period of time and backups to resolve the issue.
In the end, we discovered the cause, eradicated the issues, applied the remedies and verified that the malware was successfully and permanently removed, and that the vulnerabilities at cause were resolved so the issue would not recur. We also helped implement a new ongoing vulnerability regime to help prevent such occurrences.
Indicators of Compromise
Credentials Failure
The clients were unable to login with existing and known-to-be-good account credentials, and were unable to access their WordPress website.
Unknown Accounts
Found in the backend were newly created accounts that were clearly not the client's, and were evidence of an intrusion in need of resolution.
Server Sessions Logs Deleted
Logs that should exist had been deleted, and more efforts to hide tracks had been performed and given more indications and information about the compromise.
IP Address Locations Incongruent
In existing logs that were recovered, the IP addresses and history showed access to admin accounts and actions from locations in Turkey which was a geography not matching any of the client's regualr usage.
Actions Screenshots
Strategies Deployed to Contain, Repair and Better Defend the Affected WordPress Website
SEIRIM's strategic approach to the malware attack sought to first contain the infection to prevent any further spread through the client's server and other accounts and applications. We then investigated to find the root causes of the incident and how it occurred. This guided us to vulnerabilities in need of resolution and configurations to strengthen to repair the website.
We made all necessary fixes required, and restored the website. We added multiple new safeguards in addition to simple fixes to help ensure better security for the client going forward.
Response is to CVE-2026-1492
The issue discovered and we needed to repair was CVE-2026-1492 involving the User Registration & Membership plugin made by WPEverest with a very high severity score of 9.8 as it allows the creation of administrator accounts without authentication. More info here at NIST and from Wordfence here.
Check Session Login History
Upon checking logs of login history, it was discovered that some logs had been deleted, during the time that the incident occurred, in attempts to occlude the details of the attack to prevent awareness of it.
Checks in the Server
To make sure that the account of the website `admin` was broken, to make the final conclusion more accurate, we needed also to check the status of current server's account, so check the the server session history and make sure it is clear and unaffected. For the server itself, disabling the ssh connection by the password, removing the useless account is needed as well, especially when its been attacked by the rainbow or credentials trying like the auth log above, also for current firewalled port, we enabled the only one needed.
IP Locations Incongruent
Some logs were recovered, that indicated log ins from geoloctions incongrunt with the client's expected behavior and indicating compromise. Many IP addresses indicated the breach occurred from Turkey.
Brute Force Password Attacks
In addition to the eventual successful exploitaiton of the CVE-2026-1492 vulnerability, a lot of brute force password attack attempts had occurred. The account of the website of the `admin` had broken and changed by the script or website exposed outside API but not from the server internal by db opearation or shell command.
Attacks on the Server
Though the server account seemed safe, its ssh session had been attacked from the outside, especially when enabled the login via the password - except the high techs hack has already broken the server account of the root and have delete all of the session history, but as the current website's codes hadn't been changed/deleted, so this seems to have not occurred successfully.
Discovery of Invalid SMTP
When recreate the admin account it was discovered that the email of the admin reverted to a deprecate one, so during recreation was found the server's SMTP was invalid, so we add the plugin of the SMTP and make it into the valid one favored by SEIRIM that we like to use, Sendgrid.
Added Filters to Prevent Malicious Logins
To prevent the password changing (or the admin dashboard) API exposed directly into the user who are not the target client, and for the current case, only the Chinese client was needed, so we block the IP outside of China as.
Other IP Checks and Blocks
Ror its web policy, have blocked all of the IP outside of China. Local and Offical IP for the admin pages of the dashboard and login were approved. Re-configed the Apache web server's policy based on the known contries ips come from using Maxmind and made a scheduled tasks to check and update automatically every week.
Strengthening the WordPress Install
There were was a potential risk in common for all of the Wordpress projects, is that the API of the `phpmyadmin` is default exposed in the public website, which is very dangerous, if the database credentials are exposed this interface can be used to operate the DB so have forbidden by web policy the access among other configuration optimizations.