Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


server hacking issue
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

server hacking issue

jokymicjokymic Member
edited September 2019 in Help

hi recently i moved one of my client-server to DA after few days start facing phishing sites scripts in different account fixed few accounts and later on ratio start increasing installed maldet scan the server found some malware removed them for a while process was stopped then later on again started installed imunifyAVPlus but unable to get any future reports most of the domains are penalized in google bcz of having phishing scripts anyone can suggest and also while checking manually and scanning reported sites found some shells outside the public_html i think he successfully bypassed the restriction what to do what to check
99% sites are WordPress Based 1% are PHP or some other scripts
@DA_Mark @MikePT @Francisco hope you guyz will suggest something

Comments

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    This isn't a DA issue.

    Did you have Cloudlinux before and now you don't?

    Francisco

  • yes i had cloudlinux before and now also

  • however now Symlink was not enabled just enabled it while reviewing some settings bcz he was creating different links wiith some other domains within his phishing scripts

  • It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.

    Thanked by 1uptime
  • uptimeuptime Member
    edited September 2019

    general protocol when in doubt: delete everything and re-install from backups

    assuming unpatched vulnerabilities are also restored from backups - keep an eye on things and then - at the very first sign of trouble ... delete everything once again - this time also be sure to delete backups. :smiley:

    not entirely joking about that last part either.

    bottom line is sometimes it's easier to just rebuild from scratch than to debug an infested edifice.

    would encourage you to get better advice, and hire a sysadmin (or get managed hosting) as necessary.

    If you can't handle your security - you're going to have a bad time.

    EDIT2: Also ... take a deep breath. Take a few minutes.

    And try to organize some more details so people might be able to offer more specific suggestions.

    • What applications are you running? (ie, Wordpress with plugins, or ...?)
    • What specific fingerprints etc are reported by your malware scans?
    • And so on.

    EDIT3: echoing what @Sanvit said above ... lol

  • @sanvit said:
    It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.

    maybe.... yes done already changed port change password ... reinstalling is not easier bcz it has almost 350 accounts with 500Gb Data so i think it can cause more trouble bcz client is not allowing for changing the server again bcz of downtime i already suggest him to movee to new server can u suggest any sysadmin for DA?

  • {HEX}Malware.Expert.steal.user.pass.0 : /home/fashionf/domains/fashionforwomen.us/public_html/hh/Yahoo/Yahoo/emma.php => /usr/local/maldetect/quarantine/emma.php.1337717249 {HEX}Malware.Expert.steal.user.pass.0 : /home/fashionf/domains/fashionforwomen.us/public_html/hh/ttt.zip => /usr/local/maldetect/quarantine/ttt.zip.879718250 {HEX}Malware.Expert.generic.hidden.include.3 : /home/freejobs/domains/freejobsabroad.com/public_html/wp-content/upgrade/103356_mylisting212-1/mylisting212/Theme Files/my-listing.zip => /usr/local/maldetect/quarantine/my-listing.zip.232305456 {HEX}Malware.Expert.generic.hidden.include.3 : /home/freejobs/domains/freejobsabroad.com/public_html/wp-content/upgrade/103356_mylisting212-1/mylisting212/Theme Files/my-listing-child.zip => /usr/local/maldetect/quarantine/my-listing-child.zip.1731916995 {MD5}Malware.Expert.sync.php : /home/hahakolapk/domains/hahakolapk.info/public_html/retrieve/spool/sync.php => /usr/local/maldetect/quarantine/sync.php.68830443 {HEX}Malware.Expert.generic.malware.165 : /home/hahakolapk/domains/hahakolapk.info/public_html/retrieve/api.php => /usr/local/maldetect/quarantine/api.php.3048224683 {HEX}Malware.Expert.generic.malware.165 : /home/hahakolapk/domains/hahakolapk.info/public_html/retrieve.zip => /usr/local/maldetect/quarantine/retrieve.zip.78635907 {HEX}Malware.Expert.generic.mailer.19 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/mail1.php => /usr/local/maldetect/quarantine/mail1.php.547021764 {MD5}Malware.Expert.robots.txt : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/robots.txt => /usr/local/maldetect/quarantine/robots.txt.1439512959 {HEX}Malware.Expert.generic.malware.174 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/index.php => /usr/local/maldetect/quarantine/index.php.2928126054 {MD5}Malware.Expert.go.php : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/go.php => /usr/local/maldetect/quarantine/go.php.2282630591 {HEX}Malware.Expert.generic.mailer.19 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/mail.php => /usr/local/maldetect/quarantine/mail.php.226618797 {HEX}Malware.Expert.generic.malware.165 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/api.php => /usr/local/maldetect/quarantine/api.php.781917725 {MD5}Malware.Expert.sync.php : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/sync.php => /usr/local/maldetect/quarantine/sync.php.2213912880 {HEX}Malware.Expert.generic.uploader.73 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/db.php => /usr/local/maldetect/quarantine/db.php.243802459 {HEX}Malware.Expert.generic.malware.155 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/st.php => /usr/local/maldetect/quarantine/st.php.1429825780 {HEX}Malware.Expert.generic.create.function.10 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/indx.php => /usr/local/maldetect/quarantine/indx.php.167917731 {HEX}Malware.Expert.generic.base64.decode.28 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/tbl_status.php => /usr/local/maldetect/quarantine/tbl_status.php.2021113940 {HEX}php.base64.v23au.187 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/plugins/granular-controls-for-elementor/modules/dagsrnhf.php => /usr/local/maldetect/quarantine/dagsrnhf.php.321038299

    here is fresh report of maldet however now directadmin account suspend also stop working

    Thanked by 1uptime
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Honestly, I bet that you just have some bad plugins or you never noticed the previous compromises.

    If Cloudlinux is there and CageFS is enabled then there's no way for it to spread on your servers.

    With that being said, I think some popular plugin got popped recently since we've seen a good handful of Wordpress sites all get compromised recently.

    Francisco

    Thanked by 2uptime Sofia_K
  • @uptime said:
    general protocol when in doubt: delete everything and re-install from backups

    assuming unpatched vulnerabilities are also restored from backups - keep an eye on things and then - at the very first sign of trouble ... delete everything once again - this time also be sure to delete backups. :smiley:

    not entirely joking about that last part either.

    bottom line is sometimes it's easier to just rebuild from scratch than to debug an infested edifice.

    would encourage you to get better advice, and hire a sysadmin (or get managed hosting) as necessary.

    If you can't handle your security - you're going to have a bad time.

    EDIT2: Also ... take a deep breath. Take a few minutes.

    And try to organize some more details so people might be able to offer more specific suggestions.

    • What applications are you running? (ie, Wordpress with plugins, or ...?)
    • What specific fingerprints etc are reported by your malware scans?
    • And so on.

    EDIT3: echoing what @Sanvit said above ... lol

    thanks let me update

    Thanked by 1uptime
  • @Francisco said:
    Honestly, I bet that you just have some bad plugins or you never noticed the previous compromises.

    If Cloudlinux is there and CageFS is enabled then there's no way for it to spread on your servers.

    With that being said, I think some popular plugin got popped recently since we've seen a good handful of Wordpress sites all get compromised recently.

    Francisco

    exactly because i m currently handling 40 servers with DA with same configurations none of them had any issue I m also thinking same its the issue of plugins can u suggest anything to come out from this issue

  • sanvitsanvit Member
    edited September 2019

    The only sysadmin that I can think of right now is @MikePT.

    Since you mentioned that none of the other servers are compromised, it may be a bad WP plugin, or you have missed it (don't the other 39 servers have similar setups? Lots of WP and few other stuff)?

    If CageFS is enabled and it's a faulty WP plugin issue, afaik the virus won't spread to other user's accounts. In that case, I would temporarily suspend the users that has been hacked and check which plugins they are using. That might help pinpoint the root cause of it.

    That said, you should really consult with a security expert.

    Edit : I just read that DA account suspension isn't working either? It seems like the server itself is somehow compromised in such case (please correct me if I'm wrong though @DA_Mark ). IMO re-installing and starting from a clean backup or starting from scratch seems to be the best bet. Also, you might want to redact your client's domains on your log.

    Thanked by 2uptime MikePT
  • jokymic said: plugins can u suggest anything to come out from this issue

    try to find common plugin(s) in these compromised sites. :neutral:

  • @jokymic even my WP site was compromised. I got notice in Google Webmaster Console about it. I'm also on DA but it was nothing to do with DA. I kept the WP comments section open (anybody cloud post link into it without moderation). So someone had posted 100s of phishing links. I just deleted all those comments, and turned OFF comments section on WP site, resubmitted to Google Console and within 48 hours my site came out clean with no malware identification!

    So you better:-
    1. Turn off WP plugins and check it.
    2. Check if WP comments are compromised with suspicious links.

    Thanked by 1uptime
  • @Sofia_K said:
    @jokymic even my WP site was compromised. I got notice in Google Webmaster Console about it. I'm also on DA but it was nothing to do with DA. I kept the WP comments section open (anybody cloud post link into it without moderation). So someone had posted 100s of phishing links. I just deleted all those comments, and turned OFF comments section on WP site, resubmitted to Google Console and within 48 hours my site came out clean with no malware identification!

    So you better:-
    1. Turn off WP plugins and check it.
    2. Check if WP comments are compromised with suspicious links.

    it not about comments i m finding files without have a shell in wordpress its anoymous

  • @sanvit said:
    The only sysadmin that I can think of right now is @MikePT.

    Since you mentioned that none of the other servers are compromised, it may be a bad WP plugin, or you have missed it (don't the other 39 servers have similar setups? Lots of WP and few other stuff)?

    If CageFS is enabled and it's a faulty WP plugin issue, afaik the virus won't spread to other user's accounts. In that case, I would temporarily suspend the users that has been hacked and check which plugins they are using. That might help pinpoint the root cause of it.

    That said, you should really consult with a security expert.

    Edit : I just read that DA account suspension isn't working either? It seems like the server itself is somehow compromised in such case (please correct me if I'm wrong though @DA_Mark ). IMO re-installing and starting from a clean backup or starting from scratch seems to be the best bet. Also, you might want to redact your client's domains on your log.

    here he is doing in other accounts without pasting shells in scripts thats the reason i have posted this

  • TheLinuxBugTheLinuxBug Member
    edited September 2019

    @jokymic You can also utilize https://github.com/scr34m/php-malware-scanner (free) and see if it helps identify better some of the exploits. Past that, I would suggest to anyone running a shared server (cPanel, Plesk, DA, etc) to install CXS ( https://configserver.com/cp/cxs.html - Paid License, $60 one time) and take advantage of 'cxswatch' which is included to regularly watch and scan you system for unexpected malicious files being uploaded. So, use CXS to help you identify and remove the malware and 'cxswatch' to monitor the server once it is cleaned to make sure you don't get reinfected. Have used CXS for years and they update their patterns frequently and it works well. Worth the $60 one time for the license, every dime!

    my 2 pennys.

    Cheers!

  • TheLinuxBugTheLinuxBug Member
    edited September 2019

    sanvit said: The only sysadmin that I can think of right now is @MikePT.

    Really, your writing on a forum which is specific to the field where most sysadmins work and your assuming there is only a single person on here who is a 'sysadmin'?? Pretty much any managed service from a provider here should be able to offer the 'sysadmin' services you need, that is the whole point of this business.

    If you are looking for a sysadmin, there are a lot to meet here. Simply set expectations for what you would pay and I am sure someone here would reach out to let you know they can help.

    @sanvit Not trying to pick on you, but seems silly to suggest only a single 'sysadmin' exists on a forum full of them. LOL.

    my 2 cents.

    Cheers!

  • @TheLinuxBug said:
    @jokymic You can also utilize https://github.com/scr34m/php-malware-scanner (free) and see if it helps identify better some of the exploits. Past that, I would suggest to anyone running a shared server (cPanel, Plesk, DA, etc) to install CXS ( https://configserver.com/cp/cxs.html - Paid License, $60 one time) and take advantage of 'cxswatch' which is included to regularly watch and scan you system for unexpected malicious files being uploaded. So, use CXS to help you identify and remove the malware and 'cxswatch' to monitor the server once it is cleaned to make sure you don't get reinfected. Have used CXS for years and they update their patterns frequently and it works well. Worth the $60 one time for the license, every dime!

    my 2 pennys.

    Cheers!

    thanks started it just now lets see and can i cahnage the ip of the license later? have u any info

  • @jokymic said:
    it not about comments i m finding files without have a shell in wordpress its anoymous

    I had a similar issue where one of my clients wordpress website was compromised due to one of the plugins he installed from the built in plugin installer in WP admin panel.

    Once the site was compromised, the hacker had access to his account and used it to replace his wordpress core files with scripts that perform the same function, but also contain hacked codes. The virus scan was unable to identify.

    The database also had "hidden" users with admin access to the site.

    The hacker also had binary files that loaded predetermined cron jobs and gave the hacker access to the site even if i removed all the files. the virus scan did pick up this binary file.

    Only way was to remove his account, delete all files and database, and reinstall wordpress with a different set of plugins, and finally restore an old copy of his database.

    @jokymic said:
    here he is doing in other accounts without pasting shells in scripts thats the reason i have posted this

    shell scripts can be run from PHP as well as from binary files. So do check the files manually in case you opt to not restore or reinstall from old backup.

    Thanked by 1uptime
  • HxxxHxxx Member
    edited September 2019

    All these wordpress getting compromised. The solution is simple: Wordfence.
    Install that , do the hardening and activate the relevant features/ options like "prevent upload dir execution", setup their WAF and call it a day forever.

    There is no superior to wordfence. The freemium is solid, imagine the paid...
    The most important aspect of it is the WAF, that thing blocks any kind of zero day, or vector attack.

    Pay attention to the notices wordfence will send you about your plugins and themes.

    Thanked by 2ITLabs timelapse
  • @TheLinuxBug thanks for ur valuable suggestions finally 90% the issue has been fixed
    load is normal no report from last 24 hours still monitoring the services and other stuff

  • @somik said:

    @jokymic said:
    it not about comments i m finding files without have a shell in wordpress its anoymous

    I had a similar issue where one of my clients wordpress website was compromised due to one of the plugins he installed from the built in plugin installer in WP admin panel.

    Once the site was compromised, the hacker had access to his account and used it to replace his wordpress core files with scripts that perform the same function, but also contain hacked codes. The virus scan was unable to identify.

    The database also had "hidden" users with admin access to the site.

    The hacker also had binary files that loaded predetermined cron jobs and gave the hacker access to the site even if i removed all the files. the virus scan did pick up this binary file.

    Only way was to remove his account, delete all files and database, and reinstall wordpress with a different set of plugins, and finally restore an old copy of his database.

    @jokymic said:
    here he is doing in other accounts without pasting shells in scripts thats the reason i have posted this

    shell scripts can be run from PHP as well as from binary files. So do check the files manually in case you opt to not restore or reinstall from old backup.

    suggest u to do a complete backup of website once then simply delte everything (terminate the account ) recreate it reinstall fresh wordpress then also plugins and theme
    replace the existing database and then edit wp config and update the config dont forget to change the password of useraccount and also hide Wp Login page it will help

  • @TheLinuxBug said:
    Really, your writing on a forum which is specific to the field where most sysadmins work and your assuming there is only a single person on here who is a 'sysadmin'?? Pretty much any managed service from a provider here should be able to offer the 'sysadmin' services you need, that is the whole point of this business.

    It's best to ignore comments like this. No need to get upset over people who dont know what a sysadmin is...

  • @sanvit said:
    It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.

    This's why I prefer reseller hosting than VPS / Dedicated Server. Managing a server is a pain in the ass. Especially if most of the time you still googling whenever problem arises.

  • sanvitsanvit Member
    edited September 2019

    @TheLinuxBug said:

    sanvit said: The only sysadmin that I can think of right now is @MikePT.

    Really, your writing on a forum which is specific to the field where most sysadmins work and your assuming there is only a single person on here who is a 'sysadmin'?? Pretty much any managed service from a provider here should be able to offer the 'sysadmin' services you need, that is the whole point of this business.

    If you are looking for a sysadmin, there are a lot to meet here. Simply set expectations for what you would pay and I am sure someone here would reach out to let you know they can help.

    @sanvit Not trying to pick on you, but seems silly to suggest only a single 'sysadmin' exists on a forum full of them. LOL.

    my 2 cents.

    Cheers!

    I said the only one I can think of right now. I may have worded wrong though. If you see the comments above, I told OP to hire a sysadmin, and OP asked me for suggestion. Since the only one that I know who does paid server management job is MikePT, I suggested him. I didn't meant only MikePT is a sysadmin here.

    @yokowasis said:

    @sanvit said:
    It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.

    This's why I prefer reseller hosting than VPS / Dedicated Server. Managing a server is a pain in the ass. Especially if most of the time you still googling whenever problem arises.

    Agreed. If you don't have good knowledge on it, it's best to leave them on the hands of someone who know what they are doing :)

    Thanked by 2uptime MikePT
  • @yokowasis said:

    @sanvit said:
    It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.

    This's why I prefer reseller hosting than VPS / Dedicated Server. Managing a server is a pain in the ass. Especially if most of the time you still googling whenever problem arises.

    how can you learn? till when u bother on the other services? googling is the best way to learn the thing which even u don't know and sharing the experience is the one of the best things which can solve anyone problems nd it can give other a good lesson, you are also right

  • uptimeuptime Member
    edited September 2019

    SOMEONE SET UP US THE BOMB!

    MAIN SCREEN TURN ON

    HOW ARE YOU GENTLEMEN

    YOU ARE ON THE WAY TO DESTRUCTION

    YOU HAVE NO CHANCE TO SURVIVE

    MAKE YOUR TIME

    ALL YOUR WORDPRESS ARE BELONG TO ARSE!

  • @jokymic said:

    @yokowasis said:

    @sanvit said:
    It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.

    This's why I prefer reseller hosting than VPS / Dedicated Server. Managing a server is a pain in the ass. Especially if most of the time you still googling whenever problem arises.

    how can you learn? till when u bother on the other services? googling is the best way to learn the thing which even u don't know and sharing the experience is the one of the best things which can solve anyone problems nd it can give other a good lesson, you are also right

    I am learning when people business doesn't depend on me. I am offering a product where I am comfortable of selling it. I will resell other people services until I know enough on how to manage server.

    If your way of business is selling shit you still learn, then I feel sorry for your client. Just like other suggested, just hire a competent sisadmin. Or you know, resell other people service, until you know what you really are dealing with.

  • @yokowasis said:

    @jokymic said:

    @yokowasis said:

    @sanvit said:
    It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.

    This's why I prefer reseller hosting than VPS / Dedicated Server. Managing a server is a pain in the ass. Especially if most of the time you still googling whenever problem arises.

    how can you learn? till when u bother on the other services? googling is the best way to learn the thing which even u don't know and sharing the experience is the one of the best things which can solve anyone problems nd it can give other a good lesson, you are also right

    I am learning when people business doesn't depend on me. I am offering a product where I am comfortable of selling it. I will resell other people services until I know enough on how to manage server.

    If your way of business is selling shit you still learn, then I feel sorry for your client. Just like other suggested, just hire a competent sisadmin. Or you know, resell other people service, until you know what you really are dealing with.

    however I fixed it myself but when ur confused u need help from experienced peoples so i posted here as u see many peoples recommend me different things i choose few and fixed the server myself its a part of life, however, I m totally against for reseller hosting bcz its just headache nothing else

Sign In or Register to comment.