Week from HELL continues... part 72b. SERVER HACKED!!

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Sep 5, 2020.

  1. craig baker

    craig baker Member HowtoForge Supporter

    This is just unbelievable! One of my websites had ispprotect (where does it put a log btw anywhere? or just email) flag some files, and I discover to my HORROR that the wp-content/uploads folder (wordpress site) has the 2020/09 folder (it caches by year and month to keep directories from getting too large).. had some real CRAP in it:

    09dir.PNG
    the .pid file contained a process number and that pid had a title of (you guessed it) [stealth].
    the files in the folder all look like linux executables (no doubt) with ELF style headers. all marked executable.
    now this is in a folder UNDER wp-content/uploads/2020/09
    and though I have a .htaccess blocking php execution in wp-content (I believe) nothing seems to block execution of these items in the uploads folder!
    how on earth did this get to be the case? I terminated the process, rebooted, and moved the tree to hang under root.
    the root of the wordpress installation had various corrupted files like rindex.php and wp-load.php which are not part of wordpress and have the usual encryptedgibberish contents.

    anyone have any expertise in hacked wordpress files? I'd surely be willing to pay for some help! I need to understand HOW this happened and hopefully how to prevent it in future??
    you think YOU have had a bad week???
    cdb.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Things that you should do:

    1) Check if there are updates for WordPress, WordPress plugins or the theme available and install them if possible. Do a backup first though to ensure that the sites doe snot get broken.
    2) Have a look at the access.-log file of the website, search especially for POST requests, to see how this got injected into the site. if the site is a low traffic site, then you can also try to compare the timestamps of the uploaded malware files with the access.log to see if you can find any correlations.
    3) Before removing malware, it's good to backup the site once with the malware in it, otherwise it might be complicated to find out how the hack happened when the malware has all been removed.
    4) I'll send you a PM.
     
  3. craig baker

    craig baker Member HowtoForge Supporter

    I'm checking out ninja firewall as a waf to try and block these attacks.
    it wants by default to use .user.ini files in the web folders as opposed to php.ini files and creates them.
    any issues with ispconfig3? and will they get loaded properly with fastcgi?

    further it says server must permit auto_prepend_file to function correctly. any reason to be concerned about either?
    thanks again. Maybe the week from hell is calming down a bit? LOL
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I do not know what ninja firewall is, so no comment on that.
    I use WordFence on Wordpress sites as application firewall, it has helped somewhat. There is both paid for version and no cost version.
     
    Jesse Norell and elmacus like this.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    I've also never used 'ninja firewall', but for information sake:
    Should not be an issue, I use fpm mode (where .user.ini works fine), but it should work with fastcgi as well.
    That should work fine as well. Every wordpress site I run uses wordfence, and that's exactly how it hooks in it's firewall ahead of loading wordpress (ie. via adding an auto_prepend_file line to .user.ini).

    If you do want to hire some help, the best bang-for-your-buck, as well as best help that I know of is again with wordfence, their site cleaning service.
     
  6. molahs

    molahs Member HowtoForge Supporter

    +1 for wordfence.
    You must have had a plugin called "WP File Explorer". A lot of sites with that plugin were compromised. I just finished cleaning one. If you need assistance PM me.
     

Share This Page