one domain was hacked

10 posts / 0 new
Last post
#1 Tue, 07/04/2017 - 08:45
drguild

one domain was hacked

Checked a couple things today and noticed one of my virtualmin domains (only one running WordPress) had been hacked in the last month and became a email spam server.

Everything was updated my server and WordPress.

The hack seems to have disabled WordPress and added stuff to the web folder.

Inside is a cp.php wch is titled inside 'Automatic cPanel Cracker' A crack.php, xBlack_Configs, bsn.php And a few other files.

Some have references to processes and backdoors in the code, if they were run I'm not sure.

If anyone wants a look they are welcome to.

Seems they got in via a wordpress exploit and uploaded a console hacking plugin.

I'm not sure what files I need to delete to clean the system up.

I should have a backup of the server on the host of not I don't mind recreating it as I hadn't really used it in a while.

Tue, 07/04/2017 - 09:06
unborn
unborn's picture

hi, its your fail. to be honest to give out to hack updated latest wp - gives some times actually long time. you should fully force your clients to update or you should update your wp.. there is no excuse - you should do make sure your wp-eses are fully updated. - my only advice is restore the site from backups and then patch holes out there.

edit: if all of wp was up2date, then your theme is coded badly... perhaps check code of your theme and plugins as well, basically - what are you asking? wp have nothing to do with virtualmin or webmin eh

Configuring/troubleshooting Debian servers is always great fun

Tue, 07/04/2017 - 09:11
drguild

Actually it is my own home server running centos 6.6 and virtualmin. I have always updated the server instantly when I have got the webmin update emails. Wordpress I have updated as soon as I have seen there is a update even if I hadn't posted on the blog the last year its still updated the wordpress core/plugins/themes.

Also I have been the only person using the site hence my home server and no-one really reads it and I haven't posted a personal blog for ages.

Managed to clean it up and have a copy of the files that were put on the system.

I'll keep a eye on postfix incase its still sending out spam.

Tue, 07/04/2017 - 23:17 (Reply to #3)
unborn
unborn's picture

I suggest you to install fail2ban or something like that as well.

Configuring/troubleshooting Debian servers is always great fun

Wed, 07/05/2017 - 13:28
Diabolico
Diabolico's picture

Updating WP, themes and plugins (and server) doesnt mean anything if some of them are badly coded or didnt have proper update for a long time or something else. Before four-five months i discovered pretty nasty exploit in one WP plugin what prompted immediate removal from WP website as it was so severe that mods didnt want to wait for the author to react. Basically the exploit would allow the hacker to change or upload anything in /wp-content/ folder. So how you can see its not only if you updated some software or not but what is the level of your knowledge doing such job... or you think thousands of people and companies who are paying someone else to keep up with the server and website are stupid and they just like to throw their money out of the window.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 07/06/2017 - 04:28 (Reply to #5)
unborn
unborn's picture

as you said 'discovered pretty nasty exploit in one WP plugin' ....I understand that sentence - badly coded in my point of view and I just said this in different way. My wp was never hacked and I write my own themes from scratch but keep them to bare bone minimum. I also dont use any plugins, usually you can build same basic function into theme aka responsive images or videos or basic things like that. Anyway what I said was, keep everything up2date and use only good quality code (themes and plugins). Best way is when you can code themes and plugins yourself, so you know what are you doing out there or you can review the code by yourself.. thats what I said and mean.

Configuring/troubleshooting Debian servers is always great fun

Thu, 07/06/2017 - 01:05
geocrasher

Hello, I think it's been somewhat covered but there is more you can do too. First off, make sure that everything is updated, not just WordPress. Themes, plugins, anything. Follow these:

https://codex.wordpress.org/FAQ_My_site_was_hacked http://codex.wordpress.org/Hardening_WordPress

Next, you need to secure your system at least a bit. Don't run ssh on port 22, move it to almost anywhere else. Also, For CentOS I highly recommend that you install APF and BFD as well as Maldet. First install ClamAV on your system, then Maldet, and configure APF to work with your systems ports. Learn how to install those programs and learn how they work here:

https://www.rfxn.com/projects/linux-malware-detect/ https://www.rfxn.com/projects/brute-force-detection/ https://www.rfxn.com/projects/advanced-policy-firewall/

BFD and APF work together to keep brute forcers out and it's a good protection. Maldet is awesome and you can configure weekly scans of your system. You might also consider a watchdog script that closes port 25 if the mail queue gets into the thousands.

If you need help with those things let me know. my username at gmail.com.

Thu, 07/06/2017 - 20:55
applejack

Sorry unborn but the idea that as a commercial website production company you can not use any plugins is fantasy. The same as updating Wordpress as soon as updates come out since usually it takes awhile for themes and plugins to become compatible. The trouble with Wordpress is that there are far too many security holes and far too many updates.

Thu, 07/06/2017 - 22:40
Joe
Joe's picture

It happens to the best of us; we've had our WordPress blog site hacked once in the past, even though it was fully up-to-date with the latest available stuff (I'm in the midst of rebuilding it in a static site generator, since spam was a big enough problem for to make comments not very useful). WordPress is a huge ecosystem with a wildly varying level of quality across plugins, and sometimes it's very hard to know which plugins are well-designed and using good security practices. Some of the most popular plugins got that way on the strength of good graphic design and UI, with little attention paid to the underlying code.

Anyway, it probably was a WordPress plugin exploit...the best you can do is clean up, make sure all the latest plugins are installed, maybe disable any you don't absolutely need, do a little googling to make sure they're all still being maintained and don't have known exploits, etc. Since everything seems to have been contained in one user directory it's probably safe to assume they did not obtain root (they would have cleaned up after themselves and covered their tracks if they did and you'd never know they were there...they might even have manipulated the mail log to make it harder to see they were sending spam).

Fail2ban is good for many brute force attacks, but would need explicit configuration to follow a virtual host log; off-the-shelf rules won't work for it. Edit: Also this probably was not a brute force attack. They probably came in through an exploit of something in WordPress.

--

Check out the forum guidelines!

Sat, 07/15/2017 - 03:31
drguild

Cheers for the replies I had notifications off for some reason on this thread.

No more spam has been sent and returned and everything seems to be running ok again.

Yea whoever it was via the handle got in disabled wordpress installed a ssh plugin into wordpress and ran a php script that was sending spam.

That was all that was done, I still have the cleaned up files which I will delete at some stage.

Wordpress was mostly updated and wasn't using many plugins etc mainly core ones. Wordpress has been hit with a few exploits recently and a update was released in the last month to fix them that I applied.

Server keeps running well here.

I plan to redo it sometime in a better format and may post here and elsewhere for advice on a better setup.

I did put in fail2ban but its the default config still,

Topic locked