Find out how file was uploaded? Which logs?
Hi,
One of my clients WordPress is hacked daily, random .php file are uploaded to send mail spam. I am quick to delete the problematic code but it comes back the next day.
We are changing passwords, updating plugins, etc.. but can't pin point the problem.
I am wondering if it is possible to see how the .php files are being injected? how they are being added to the account? I'm assuming through some injection in rubbish code, but i can't find it anywhere, would the logs help me see where it's coming from? if so, where can i find the log? thanks
-
Hello, The following thread should help: What log files to check after an account gets hacked/defaced? Thanks! 0 -
Hello, The following thread should help: What log files to check after an account gets hacked/defaced? Thanks!
Thanks for this, I have been looking for some valuable information inside /usr/local/apache/domlogs/$domain I can see uploaded files being accessed but no indication of how it actually got there. We have pretty much re-installed all plugins, Wordpress, removed ALOT of stuff, went through files manually, yet some how a file keeps re-appearing. I setup a cron to check for the file every minute and it is auto deleted... this has helped but not really fixing the problem... we must have a script or something on the server that is allowing a backdoor to the account. Surely there is a way to find out how?0 -
We have pretty much re-installed all plugins, Wordpress, removed ALOT of stuff, went through files manually, yet some how a file keeps re-appearing.
Have you reset the passwords to the cPanel account, and any FTP accounts with access to upload files to that location? If so, you may need to consult with a qualified system administrator to further investigate what's happening. You can find a list of system administrative services at: System Administration Services | cPanel Forums Thank you.0 -
Hi, One of my clients WordPress is hacked daily, random .php file are uploaded to send mail spam. I am quick to delete the problematic code but it comes back the next day. We are changing passwords, updating plugins, etc.. but can't pin point the problem. I am wondering if it is possible to see how the .php files are being injected? how they are being added to the account? I'm assuming through some injection in rubbish code, but i can't find it anywhere, would the logs help me see where it's coming from? if so, where can i find the log? thanks
It will be useless to searching it by IP, since most of Hacker's / Defacer using dynamic IP's or they using proxy, there is so many free proxy over there. You should think to use CXS for that and costume your cxs.xtra to match the regex, there is plenty usefull regex on ConfigServer forum, and don't forget to use OWASP and whitelist the ID. Or for better choice, use CloudLinux, but it still depend on your configuration.0
Please sign in to leave a comment.
Comments
4 comments