We host a WordPress site that has more than once been hacked. To my surprise, somehow the entire site was deleted earlier today. I did not think that was possible. We restored the site, tweaked WordFence adding a list of IP ranges to block 90% of overseas attacking IP's and updated WordPress. We deleted unused plugin's and made sure all was well. It lasted 8 hours before it was hacked again. One .php file in the root did not look right and indicates how they did it. It contained the following line:
$fp = fsockopen("udp://$host", $port, $errno, $errstr, 5);
There was a previous comment a few years ago where the server admin created a file with the following at /etc/php.d/myconf.php
expose_php = Off
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open
session.cookie_httponly = 1
Can you confirm this is a new file and if placed in this location and then rebooting Apache would stop the fsockopen attack? Is there any other suggestions on how to protect this server, and the other several Virtualmin servers we have? Do you think it would break any sites? Suggestions welcome. This is pretty scary and it got by WordFence without any problems at all.
Comments
Submitted by andreychek on Tue, 09/02/2014 - 23:32 Comment #1
Howdy -- we're sorry to hear someone broke into your site!
There's a number of ways they break into sites, including guessing WordPress admin passwords, having older WordPress versions containing security vulnerabilities, having older plugins containing vulnerabilities, and guessing FTP passwords and uploading malicious scripts.
I'm not familiar with the "myconf.php" file you mentioned, though that's not installed by default. It appears that it would disable the listed PHP functions.
In order to prevent PHP from executing "fsockopen", you would need to include "fsockopen" in the list of PHP functions to disable.
As far as whether it would break any sites -- that's a tough one to answer, it would largely depend on what functionality your sites depend on. That may require some trial and error.
You could always enable that for specific sites, by adding it to $HOME/etc/php.ini, if you didn't want to add it to all sites at once.
Submitted by paulfromsurrey on Wed, 09/03/2014 - 01:09 Pro Licensee Comment #2
Secureweb
Please let us know the finding
it happen to me few years ago it was some thing to do with un secure password/ some php coding was not not very secure.
I love to know what your detective work