lfd suspicious process, then Wordpress is hacked and spam...
Hi,
I have one particular website on my server that is constantly exploited even with the following measures in place:
- No anonymous FTP is allowed
- cPanel password is changed often
- Wordpress and its plugins are latest and with no known vulnerability related to the plugins
- suPHP is in place
Below is an example of the lfd message from CSF firewall which then lead to script uploads and then spam.
Can anyone knowledgeable enough tell me how the hackers can do this and what I can do?
Thank you.
---- LFD message -----
Executable:
/home/userdir/public_html/delta/wp-content/uploads/crond (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
././crond
Network connections by the process (if any):
tcp: SERVER_IP:60653 -> :80
tcp: SERVER_IP:36883 -> :80
tcp: SERVER_IP:44804 -> :80
tcp: SERVER_IP:39482 -> :80
tcp: SERVER_IP:49317 -> :80
tcp: SERVER_IP:51157 -> :80
tcp: SERVER_IP:37451 -> :80
tcp: SERVER_IP:33913 -> :80
tcp: SERVER_IP:56475 -> :80
-
Hello Michael, I'd read that thread before posting mine. I was hoping that someone might be able to point me in the right direction using possible scenarios. Thanks 0 -
Possible scenarios I can think of; wp-admin password was weak/compromised. a plugin was hacked during a vulnerable period of time prior to an update, and malware was left behind even though things are up to date now. If you have not already, take a look for any recently created files, especially php files, inside of the account. Also run clamscan / maldet on that users public_html directory. Check to see if the user happens to have a crontab as well (crontab -l -u USER) Have a good look around /home/userdir/public_html/delta/wp-content/uploads/ as well. 0 -
Thanks Quizknows. 0
Please sign in to leave a comment.
Comments
4 comments