View Single Post
  #3  
Old 31st July 2012, 00:43
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

Thanks Falko, I figured out the problem and will implement your suggestion after I fix the original problem.

After tinkering with the VPS I realized the problem went a lot deeper than that. This thread is basically closed as the problem is a totally different one, but if you ca nadd something to it it would be much appreciated.

I ran 2 sites for a friend on my server, one grew to big so I moved him to his own VPS that I also manage. The second one grew stale so I eventually de-activated it.

I now moved the stale one to his own server since we was going to update it and get it up and running again.

I see 2 possible reasons for my problems:

a) either I screwed up when transferring the old site to the new server
b) the site's files were infected with Timthumb and possibly other dangerous stuff

Facts: I moved the site, put it online, updated all plugins, ran a Timthumb vulnerability scanner over the entire wordpress installation (a WP plugin) and manually deleted/replaced all infected files, which were quite a lot.

My reasoning is that while doing that, I might have missed some infected file or simply have been to slow.

The symptoms are that a lot of processes stopped working, I checked quite a few log files and all are complaining about wrong ownerships, i.e. most of the problems I found is that www-data owns the folders/files now...

My explanation is that on the old server, everything was so secured and tied down, that the infection couldn't spread anywhere (I run those sites with FASTCGI and suexec and a lot of other security mechanisms) but the new one is "unprotected" from inside, meaning that me personally moving the infection onto the server, and the web server running no further protection, I basically spread the virus myself :-(

My plan now is to restore a backup of the new server, get it up and running again, then try and clean the infected site before moving it. The question is how do I detect/clean infected files within a wordpress site OFFLINE? All I could goggle, refers to how to clean/scan a live wordpress installation :-(

Any advice?

Please also feel free to comment if you think you see a flaw in my reasoning, this is not 100% proven (except for the mentioned FACTS), just my deductions.

oh, btw. I ran one of the many infected index.php files through an online scanner and here are the results:

http://r.virscan.org/report/994a8139...334871829.html
https://www.virustotal.com/file/4b66...is/1343601521/

Funnily enough, the Linux Malware tool I am using doesn't find anything wrong with this file :-( http://www.rfxn.com/projects/linux-malware-detect/
Need to post there for support too.

Any advice from someone who faced something like this before? Maybe some pointers about detecting MySQL injections once they have happened already?

Last edited by Ovidiu; 31st July 2012 at 00:45.
Reply With Quote