Skip to main content

Site keeps on getting hacked - infected files

JarekN
So couple of days ago I have upgraded to PHP 7.2 and ever since my main account/site keeps on getting infected. It is running latest version of WordPress with all recent updates and WordFence plugin. I am noticing new encoded php file, as well as some of existing files being modified to include additional encoded code. I am finding out about it as most of time the files uploaded start to send email junk so I get notifications. That specific WordPress site is set to run using php 7.2, suphp, PHP-FPM. CENTOS 6.9 kvm v68.0.30 Scrip Alert Email Time: Thu Mar 15 02:34:54 2018 -0400 Path: '/home/USER/public_html/.tmb' Count: 201 emails sent Sample of the first 10 emails: 2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fcrista.d@mydomain.com 2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fcrista.d@mydomain.com 2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fcrista.d@mydomain.com 2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fmelita.i@mydomain.com Prior to that I got LOCALRELAY Alert Type: LOCALRELAY, Local Account - USER Count: 101 emails relayed Blocked: No Sample of the first 10 emails: 2018-03-15 02:27:23 1ewMMF-0007DE-N3 <= crista.d@mydomain.com U=myuser P=local S=1682 id=b6514e3a646ebf841b6ef43417b81f24@mydomain.com T="C\363mprate el agrandador de miembro urgentemente" for test@hotmail.es 2018-03-15 02:27:23 1ewMMF-0007DK-Qe <= melita.i@mydomain.com U=myuser P=local S=1674 id=48a2b0413a77caf71758c091857b1796@mydomain.com T="C\363mprate el agrandador de miembro urgentemente" for test@yahoo.es When I looked into that folder I found one encoded php file. Another file prior to that was: Time: Tue Mar 13 04:39:52 2018 -0400 Path: '/home/MyUser/public_html/wp-content/plugins/recent-tweets-widget/assets' Count: 201 emails sent Sample of the first 10 emails: 2018-03-13 04:31:30 cwd=/home/myuser/public_html/wp-content/plugins/recent-tweets-widget/assets 4 args: /usr/sbin/sendmail -t -i -fcatherine.w@mydomain.com This all started after an update, any ideas what it could be and how can I figure out how the files are created?

Comments

6 comments

Date Votes
  • cPanelMichael
    Hello, The following thread is a good place to start when beginning an investigation into the source of a hacked account: You may also find the following document helpful:
    0
  • sparek-3
    I doubt the PHP 7.2 update has anything to do with this. You need to find out how these malicious files are getting onto the account. Are you actually investigating these files or are you just removing them? You may also want to look at all of the WordPress users that exist on this account. What are their access levels? How strong are their passwords? Are the passwords being changed? Lately we've seen a lot of WordPress sites hacked because the WordPress administrator chose to use extremely weak passwords. Or other WordPress admin users got created. You really just have to trace back how the files got there. You may need to hire a server administrator to do this for you.
    0
  • JarekN
    Only one WP user - password changed recently and very complex. No new FTP users, password also complex Two more files found few hours after last cleanup:
    • Filename: cause.php
    • File Type: Not a core, theme, or plugin file from wordpress.org.
    • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed] . The infection type is: A backdoor known as cSR.
    Link to file [removed] Second file is:
    • Filename: wp-content/cache/minify/df983.js
    • File Type: Not a core, theme, or plugin file from wordpress.org.
    • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed]
    0
  • sparek-3
    OK, you need to investigate how those files came to be on the account. Review the timestamps of the file. Review the logs on the account. I don't have access to all of this, I can't tell you what specifically to do or how to further investigate this. But you need to further investigate this. There is a security hole some where (probably... perhaps the "legitimate" user is uploading these files themselves, I wouldn't advise accusing someone of that without evidence, but it's a possibility). You may need to bring in an experience server administrator to help you with all of this.
    0
  • JarekN
    I am the only one with access to the account, so I am sure it's not user uploaded but created in some other way :(
    0
  • cPanelMichael
    Hello, We provide a list of companies offering system administration services should you require the assistance of system administrator to help determine the source of the attack: Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post