Infected Server - WordPress Vulnerability? - Knowledgebase

Portal Home > Knowledgebase > Articles Database > Infected Server - WordPress Vulnerability?

Infected Server - WordPress Vulnerability?

Posted by kshazad86, 10-30-2014, 02:00 PM
My shared cPanel server recently appears to have been compromised. Several WordPress websites I have seen with phishing files uploaded directly into the public_html folder. My concern is I dont know how the attackers manage to upload the phishing files to several accounts. Example location: /home/user/public_html/dropbox/invoice.php The invoice.php file appears to send out large amount of phishing emails. Note: Only WordPress sites appear to be infected. Can anyone give tips on how to stop this from happening?
Posted by Andei, 10-30-2014, 02:07 PM
First clean up as much as you can, run virus scans and make sure there are no backdoors scripts still in any of your accounts. Secondly, always keep wordpress/plugins up to date... this is VERY important, since that's how they always get in, through exploits in old and outdated scripts. And least but not last, install some security plugins for your wordpress sites, there's plenty of them out there, all you have to do is search a bit.
Posted by XViD, 10-30-2014, 02:14 PM
Somewhere to start: 1. Try to find the concrete reason of the hacking by checking the log files for the infected sites. It might be a plugin or old version with a known exploit or weak wordpress administration passwords and followed bruteforce attack (very common these days). 2. Install and configure mod_security with good rules - atomicorp and/or comodo for example. 3. Install maldet, cxs, clamav and configure them to scan your websites 4. Install and configure csf
Posted by nixtree, 10-30-2014, 02:49 PM
First of all, take the time stamp of the uploaded vulnerable file and run "grep POST " . Make sure you run it against the access log on the same date when the file was created. It can give little insight on how they could intrude most time. Then secure your server / wordpress as per above instructions.
Posted by kshazad86, 10-31-2014, 01:14 PM
My access logs are showing the following: The only post request I found was this one: I still dont understand how they got in?? Any ideas?
Posted by kshazad86, 10-31-2014, 01:32 PM
I also noticed this entry in the log file: Is it possible it is caused by a vulnerability with the wp-cron.php file?
Posted by kshazad86, 10-31-2014, 03:06 PM
I have also noted the following line which looks very suspicious to me:
Posted by khunj, 10-31-2014, 11:28 PM
That is unlikely. It is often due to a vulnerable plugin or theme, or because they gained access either to your WP admin console or to your FTP/cPanel account. If you check when the invoice.php was uploaded, you could then look in your logs to see what happened that day.
Posted by mellow-h, 10-31-2014, 11:45 PM
If you can't find enough evidence on POST, track your access logs for suspicious activity within 1 hour before and after the time stamp. You need to keep doing researches. There is no specific way to find the exact way attacker managed to put the file in your account.
Posted by nixtree, 11-01-2014, 09:56 AM
Yes, match the time stamp when the suspicious file was created against the access log. If the hack exits on multiple WP accounts, it'll be mostly likely an issue with a Plugin/Theme which all of those accounts are using in common.
Posted by Kailash12, 11-01-2014, 10:25 AM
It is possible to upload files in the user's account due to plugin/theme or outdated WordPress. Also you will have to scan your entire server using Antivirus and maldate.
Posted by byrsa, 11-06-2014, 01:18 PM
They used valid FTP credentials to upload the files. PM me if you want details.
Posted by bear, 11-06-2014, 01:50 PM
You aren't permitted to ask for private contact in the main forums. If you know something (though how you'd know about his issue directly needs explaining), feel free to post it in this thread so everyone benefits.
Posted by byrsa, 11-06-2014, 01:58 PM
Sorry about that, new here. My server was hit by the same thing, so I am making the assumption that they uploaded the files to OPs server in the same way.
Posted by samy, 11-06-2014, 01:59 PM
It's very bad - i recommend to install the plugin "wordfence" - it works good also files outside wordpress get to scan.
Posted by bear, 11-06-2014, 02:26 PM
Fair enough. Did you learn how they managed to obtain your passsword?
Posted by byrsa, 11-07-2014, 04:48 AM
The username/pw of a user on my webserver. I don't know how they got the credentials, but I did not see any evidence of brute-forcing their way in.
Posted by infote, 11-11-2014, 03:10 AM
I would go for reinstalling the WP core files in the server as there could be numerous files with the eval base64 code already and what not. Delete the whole WP directory and install the new WP core along with your themes (backed up before the infection). Deleting the MySql database file is also suggested. If you don't have the backups, well then, at least install just the Wordpress 4.0 new core files. Then install the wordfence plugin and run the scan. I have used it on my own wp site and it works like a charm. I was able to detect the infection because of the wordfence plugin. Finally change the WP admin, WP salt, FTP, Cpanel, MySql and SSH passwords.