All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
server hacking issue
hi recently i moved one of my client-server to DA after few days start facing phishing sites scripts in different account fixed few accounts and later on ratio start increasing installed maldet scan the server found some malware removed them for a while process was stopped then later on again started installed imunifyAVPlus but unable to get any future reports most of the domains are penalized in google bcz of having phishing scripts anyone can suggest and also while checking manually and scanning reported sites found some shells outside the public_html i think he successfully bypassed the restriction what to do what to check
99% sites are WordPress Based 1% are PHP or some other scripts
@DA_Mark @MikePT @Francisco hope you guyz will suggest something
Comments
This isn't a DA issue.
Did you have Cloudlinux before and now you don't?
Francisco
yes i had cloudlinux before and now also
however now Symlink was not enabled just enabled it while reviewing some settings bcz he was creating different links wiith some other domains within his phishing scripts
It seems like the server is compromised? Did you lock down root access and disabled password login? Is your desktop/laptop infected by virus? IMO it's best to re-install and start from scratch, and if you can't properly manage a server's security, you should consider hiring a sysadmin or get a fully managed server.
general protocol when in doubt: delete everything and re-install from backups
assuming unpatched vulnerabilities are also restored from backups - keep an eye on things and then - at the very first sign of trouble ... delete everything once again - this time also be sure to delete backups.
not entirely joking about that last part either.
bottom line is sometimes it's easier to just rebuild from scratch than to debug an infested edifice.
would encourage you to get better advice, and hire a sysadmin (or get managed hosting) as necessary.
If you can't handle your security - you're going to have a bad time.
EDIT2: Also ... take a deep breath. Take a few minutes.
And try to organize some more details so people might be able to offer more specific suggestions.
EDIT3: echoing what @Sanvit said above ... lol
maybe.... yes done already changed port change password ... reinstalling is not easier bcz it has almost 350 accounts with 500Gb Data so i think it can cause more trouble bcz client is not allowing for changing the server again bcz of downtime i already suggest him to movee to new server can u suggest any sysadmin for DA?
{HEX}Malware.Expert.steal.user.pass.0 : /home/fashionf/domains/fashionforwomen.us/public_html/hh/Yahoo/Yahoo/emma.php => /usr/local/maldetect/quarantine/emma.php.1337717249 {HEX}Malware.Expert.steal.user.pass.0 : /home/fashionf/domains/fashionforwomen.us/public_html/hh/ttt.zip => /usr/local/maldetect/quarantine/ttt.zip.879718250 {HEX}Malware.Expert.generic.hidden.include.3 : /home/freejobs/domains/freejobsabroad.com/public_html/wp-content/upgrade/103356_mylisting212-1/mylisting212/Theme Files/my-listing.zip => /usr/local/maldetect/quarantine/my-listing.zip.232305456 {HEX}Malware.Expert.generic.hidden.include.3 : /home/freejobs/domains/freejobsabroad.com/public_html/wp-content/upgrade/103356_mylisting212-1/mylisting212/Theme Files/my-listing-child.zip => /usr/local/maldetect/quarantine/my-listing-child.zip.1731916995 {MD5}Malware.Expert.sync.php : /home/hahakolapk/domains/hahakolapk.info/public_html/retrieve/spool/sync.php => /usr/local/maldetect/quarantine/sync.php.68830443 {HEX}Malware.Expert.generic.malware.165 : /home/hahakolapk/domains/hahakolapk.info/public_html/retrieve/api.php => /usr/local/maldetect/quarantine/api.php.3048224683 {HEX}Malware.Expert.generic.malware.165 : /home/hahakolapk/domains/hahakolapk.info/public_html/retrieve.zip => /usr/local/maldetect/quarantine/retrieve.zip.78635907 {HEX}Malware.Expert.generic.mailer.19 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/mail1.php => /usr/local/maldetect/quarantine/mail1.php.547021764 {MD5}Malware.Expert.robots.txt : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/robots.txt => /usr/local/maldetect/quarantine/robots.txt.1439512959 {HEX}Malware.Expert.generic.malware.174 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/index.php => /usr/local/maldetect/quarantine/index.php.2928126054 {MD5}Malware.Expert.go.php : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/go.php => /usr/local/maldetect/quarantine/go.php.2282630591 {HEX}Malware.Expert.generic.mailer.19 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/mail.php => /usr/local/maldetect/quarantine/mail.php.226618797 {HEX}Malware.Expert.generic.malware.165 : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/api.php => /usr/local/maldetect/quarantine/api.php.781917725 {MD5}Malware.Expert.sync.php : /home/hahakolapk/domains/hahakolapk.info/public_html/sed/sync.php => /usr/local/maldetect/quarantine/sync.php.2213912880 {HEX}Malware.Expert.generic.uploader.73 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/db.php => /usr/local/maldetect/quarantine/db.php.243802459 {HEX}Malware.Expert.generic.malware.155 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/st.php => /usr/local/maldetect/quarantine/st.php.1429825780 {HEX}Malware.Expert.generic.create.function.10 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/indx.php => /usr/local/maldetect/quarantine/indx.php.167917731 {HEX}Malware.Expert.generic.base64.decode.28 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/themes/news-box-lite/tbl_status.php => /usr/local/maldetect/quarantine/tbl_status.php.2021113940 {HEX}php.base64.v23au.187 : /home/holbuoco/domains/holbuo.com/public_html/wp-content/plugins/granular-controls-for-elementor/modules/dagsrnhf.php => /usr/local/maldetect/quarantine/dagsrnhf.php.321038299
here is fresh report of maldet however now directadmin account suspend also stop working
Honestly, I bet that you just have some bad plugins or you never noticed the previous compromises.
If Cloudlinux is there and CageFS is enabled then there's no way for it to spread on your servers.
With that being said, I think some popular plugin got popped recently since we've seen a good handful of Wordpress sites all get compromised recently.
Francisco
thanks let me update
exactly because i m currently handling 40 servers with DA with same configurations none of them had any issue I m also thinking same its the issue of plugins can u suggest anything to come out from this issue
The only sysadmin that I can think of right now is @MikePT.
Since you mentioned that none of the other servers are compromised, it may be a bad WP plugin, or you have missed it (don't the other 39 servers have similar setups? Lots of WP and few other stuff)?
If CageFS is enabled and it's a faulty WP plugin issue, afaik the virus won't spread to other user's accounts. In that case, I would temporarily suspend the users that has been hacked and check which plugins they are using. That might help pinpoint the root cause of it.
That said, you should really consult with a security expert.
Edit : I just read that DA account suspension isn't working either? It seems like the server itself is somehow compromised in such case (please correct me if I'm wrong though @DA_Mark ). IMO re-installing and starting from a clean backup or starting from scratch seems to be the best bet. Also, you might want to redact your client's domains on your log.
try to find common plugin(s) in these compromised sites.
@jokymic even my WP site was compromised. I got notice in Google Webmaster Console about it. I'm also on DA but it was nothing to do with DA. I kept the WP comments section open (anybody cloud post link into it without moderation). So someone had posted 100s of phishing links. I just deleted all those comments, and turned OFF comments section on WP site, resubmitted to Google Console and within 48 hours my site came out clean with no malware identification!
So you better:-
1. Turn off WP plugins and check it.
2. Check if WP comments are compromised with suspicious links.
it not about comments i m finding files without have a shell in wordpress its anoymous
here he is doing in other accounts without pasting shells in scripts thats the reason i have posted this
@jokymic You can also utilize https://github.com/scr34m/php-malware-scanner (free) and see if it helps identify better some of the exploits. Past that, I would suggest to anyone running a shared server (cPanel, Plesk, DA, etc) to install CXS ( https://configserver.com/cp/cxs.html - Paid License, $60 one time) and take advantage of 'cxswatch' which is included to regularly watch and scan you system for unexpected malicious files being uploaded. So, use CXS to help you identify and remove the malware and 'cxswatch' to monitor the server once it is cleaned to make sure you don't get reinfected. Have used CXS for years and they update their patterns frequently and it works well. Worth the $60 one time for the license, every dime!
my 2 pennys.
Cheers!
Really, your writing on a forum which is specific to the field where most sysadmins work and your assuming there is only a single person on here who is a 'sysadmin'?? Pretty much any managed service from a provider here should be able to offer the 'sysadmin' services you need, that is the whole point of this business.
If you are looking for a sysadmin, there are a lot to meet here. Simply set expectations for what you would pay and I am sure someone here would reach out to let you know they can help.
@sanvit Not trying to pick on you, but seems silly to suggest only a single 'sysadmin' exists on a forum full of them. LOL.
my 2 cents.
Cheers!
thanks started it just now lets see and can i cahnage the ip of the license later? have u any info
I had a similar issue where one of my clients wordpress website was compromised due to one of the plugins he installed from the built in plugin installer in WP admin panel.
Once the site was compromised, the hacker had access to his account and used it to replace his wordpress core files with scripts that perform the same function, but also contain hacked codes. The virus scan was unable to identify.
The database also had "hidden" users with admin access to the site.
The hacker also had binary files that loaded predetermined cron jobs and gave the hacker access to the site even if i removed all the files. the virus scan did pick up this binary file.
Only way was to remove his account, delete all files and database, and reinstall wordpress with a different set of plugins, and finally restore an old copy of his database.
shell scripts can be run from PHP as well as from binary files. So do check the files manually in case you opt to not restore or reinstall from old backup.
All these wordpress getting compromised. The solution is simple: Wordfence.
Install that , do the hardening and activate the relevant features/ options like "prevent upload dir execution", setup their WAF and call it a day forever.
There is no superior to wordfence. The freemium is solid, imagine the paid...
The most important aspect of it is the WAF, that thing blocks any kind of zero day, or vector attack.
Pay attention to the notices wordfence will send you about your plugins and themes.
@TheLinuxBug thanks for ur valuable suggestions finally 90% the issue has been fixed
load is normal no report from last 24 hours still monitoring the services and other stuff
suggest u to do a complete backup of website once then simply delte everything (terminate the account ) recreate it reinstall fresh wordpress then also plugins and theme
replace the existing database and then edit wp config and update the config dont forget to change the password of useraccount and also hide Wp Login page it will help
It's best to ignore comments like this. No need to get upset over people who dont know what a sysadmin is...
This's why I prefer reseller hosting than VPS / Dedicated Server. Managing a server is a pain in the ass. Especially if most of the time you still googling whenever problem arises.
I said the only one I can think of right now. I may have worded wrong though. If you see the comments above, I told OP to hire a sysadmin, and OP asked me for suggestion. Since the only one that I know who does paid server management job is MikePT, I suggested him. I didn't meant only MikePT is a sysadmin here.
Agreed. If you don't have good knowledge on it, it's best to leave them on the hands of someone who know what they are doing
how can you learn? till when u bother on the other services? googling is the best way to learn the thing which even u don't know and sharing the experience is the one of the best things which can solve anyone problems nd it can give other a good lesson, you are also right
SOMEONE SET UP US THE BOMB!
MAIN SCREEN TURN ON
HOW ARE YOU GENTLEMEN
YOU ARE ON THE WAY TO DESTRUCTION
YOU HAVE NO CHANCE TO SURVIVE
MAKE YOUR TIME
ALL YOUR WORDPRESS ARE BELONG TO ARSE!
I am learning when people business doesn't depend on me. I am offering a product where I am comfortable of selling it. I will resell other people services until I know enough on how to manage server.
If your way of business is selling shit you still learn, then I feel sorry for your client. Just like other suggested, just hire a competent sisadmin. Or you know, resell other people service, until you know what you really are dealing with.
however I fixed it myself but when ur confused u need help from experienced peoples so i posted here as u see many peoples recommend me different things i choose few and fixed the server myself its a part of life, however, I m totally against for reseller hosting bcz its just headache nothing else