Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1290 posts

Uber Geek

Subscriber

# 209107 13-Mar-2017 11:25
Send private message

I was asked to look at a site last week which had been hacked and shutdown by their hosts. Neither Wordpress, their themes, nor any of the 20+ plugins they use had been updated for months, if ever.

 

So I did the basics. Updated WP to 4.7.3, deleted unused themes, changed all user passwords, kicked out anyone still logged in, updated all the plugins (I don't know what is used and what isn't so didn't delete any) and after installing Wordfence I spent the afternoon running multiple scans to clean it all up and then checked again with Sucuri. All was good.

 

But Wordfence showed compromised files again the next day so it was rightly shutdown again.

 

So I'm looking at it now. Wordfence does show a couple of files, which I've cleaned again, and I'm wondering what the next step is. The domain was clearly sending out spam via email addresses which don't exist with the host, so where do I look next ?

 

An interesting thing I noticed was one of the users was logged in but I know for a fact they haven't logged in at all because I haven't given out any of the new passwords. So I've changed that password again and set all users (other than me) to subscriber. I'm not sure it that will help but I'll also delete those not needed.

 

Wordfence has just run again and found nothing.

 

Any suggestions and what I can check for next ?

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
15335 posts

Uber Geek

Trusted
Subscriber

  # 1735633 13-Mar-2017 11:30
Send private message

Change all hosting passwords. Check all other software or scripts on the server to see if it's compromised. Don't trust plugins as authoritative. Change passwords for every user associated with it - ssh, ftp, control panel, and for every other piece of software on the box.

 

Maybe check the web server logs to see if you can see anything suspicious.

 

If that doesn't fix it, I guess you need more information. Moving hosts could be one mitigation, it would at least rule something out.


3344 posts

Uber Geek

Trusted
Vocus

  # 1735637 13-Mar-2017 11:32
Send private message

What plugins do you have? Eliminate any you don't need. Same for themes. Use very strong passwords. Remove privileges from the account called "Admin" and create another admin account.  Configure Wordfence's automatic blocking.  Deny access to RPC unless it's needed.  And the advice above.  Good luck!


 
 
 
 


15335 posts

Uber Geek

Trusted
Subscriber

  # 1735646 13-Mar-2017 11:41
Send private message

Actually delete the account named "admin", after transferring all the information to other users. You could also put a WAF / IPS / IPD in place. CloudFlare would help a bit and has a free plan, but you'd have to block connections that don't come from CloudFlare at your firewall.


xpd

Chief Trash Bandit
10091 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  # 1735686 13-Mar-2017 12:13
Send private message

Change passwords, disable all plugins - only add plugins as theyre really needed. 

 

Have seen one install that literally had 60 plugins installed, with only about 12 actually being used.

 

 





XPD / Gavin / DemiseNZ

 

Server : i5-3470s @ 3.50GHz  16GB RAM  Win 10 Pro    Workstation : i5-3570K @ 3.40GHz  20GB RAM  RX580 4GB Win 10 Pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, emulation, geekery, and my attempts at photography.     Now on BigPipe 100/100 and 2Talk

 

http://storm.xpd.co.nz - NZ Rock at its finest (WIP)

 

Add me on Steam


2146 posts

Uber Geek

Trusted

  # 1735691 13-Mar-2017 12:18
Send private message

If it's running on Apache and you can control that, mod_security with the OWS ruleset.


15335 posts

Uber Geek

Trusted
Subscriber

  # 1735692 13-Mar-2017 12:20
Send private message

mod_security with the OWASP ruleset actually blocks a lot of stuff and breaks websites. If you do that you need to monitor it closely.




1290 posts

Uber Geek

Subscriber

  # 1735696 13-Mar-2017 12:24
2 people support this post
Send private message

I've changed the hosting account and ftp passwords. Created two new WP accounts, one admin for me and one as an author and I've transferred all content to that author. All user accounts have new passwords and are set to subscriber whilst I find out who can be deleted.

 

Set Wordfence to immediately block anyone using an obvious username (admin, domainname, etc), anyone using an invalid username, including forgotten password attempts, etc.

 

No I'm off to check the logs and go through the plugins. Only ever use 5-6 on any site I've built so seeing 24 is something new !

 

 


 
 
 
 


926 posts

Ultimate Geek

Trusted

  # 1735699 13-Mar-2017 12:30
One person supports this post
Send private message

I've seen this before... sounds like you have malware installed on the server, possibly something like "Linux/Mumblehard". Check your cron jobs to see if there's a script set to run on a schedule and delete any cronjobs you don't recognise along with the scripts being executed. Download clamav and run a full scan on the server. Also, check your directory permissions on the Wordpress site. Ideally you don't want the user account that the webserver is running as (e.g. www-data) to have write permissions to the wordpress directories, except for specific directories like uploads, etc. The directories that are writeable by the webserver account, make sure there aren't any php files in there - should only be media files. Also note, that changing these permissions will break the built-in Wordpress updater, so you'll need to figure out a new process to install updates - either change file permissions just before and after an update, or update manually by download the zip file and extracting into the Wordpress install.

 

Send me a PM if you need any further advice, happy to share my experiences.




1290 posts

Uber Geek

Subscriber

  # 1735700 13-Mar-2017 12:31
Send private message

I don't have access to any of the mod_sec stuff. I'm basically sitting here with the WP site and a cut down Plesk control panel and that's it.




1290 posts

Uber Geek

Subscriber

  # 1735701 13-Mar-2017 12:34
Send private message

amanzi:

 

I've seen this before... sounds like you have malware installed on the server, possibly something like "Linux/Mumblehard".

 

 

Hmmmm, initially this morning the hosts said their own servers had been compromised and they had moved everyone to a new server. An hour later then said it was this site which was compromised again. Might need to go back to them I think.

 

They showed an email being sent from this domain but with an address which doesn't exist in the control panel.

 

amanzi:

 

Check your cron jobs to see if there's a script set to run on a schedule and delete any cronjobs you don't recognise along with the scripts being executed. Download clamav and run a full scan on the server. Also, check your directory permissions on the Wordpress site. Ideally you don't want the user account that the webserver is running as (e.g. www-data) to have write permissions to the wordpress directories, except for specific directories like uploads, etc. The directories that are writeable by the webserver account, make sure there aren't any php files in there - should only be media files. Also note, that changing these permissions will break the built-in Wordpress updater, so you'll need to figure out a new process to install updates - either change file permissions just before and after an update, or update manually by download the zip file and extracting into the Wordpress install.

 

Send me a PM if you need any further advice, happy to share my experiences.

 

 

Thanks, I'll have a look at all this as well.


Mr Snotty
8906 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1735706 13-Mar-2017 12:48
Send private message

Also check the .htaccess file as this is a common target for malware and overlooked. It honestly sounds like you're needing to find a new host if your one keeps getting owned.







1290 posts

Uber Geek

Subscriber

  # 1735708 13-Mar-2017 12:53
Send private message

michaelmurfy:

 

Also check the .htaccess file as this is a common target for malware and overlooked. It honestly sounds like you're needing to find a new host if your one keeps getting owned.

 

 

Yep, checked that already. Found an interesting @include in the wp-config.php when I first started so I've gone through all the files in that dir. I've also gone through all the uploads directories checking for *.php files and there are none now.

 

I agree, it's been talked about previously they just never got around to it. It's going to be the first thing I suggest when I get this all sorted.


2146 posts

Uber Geek

Trusted

  # 1735807 13-Mar-2017 15:13
One person supports this post
Send private message

timmmay:

 

mod_security with the OWASP ruleset actually blocks a lot of stuff and breaks websites. If you do that you need to monitor it closely.

 

 

 

 

The recently released v3.0 of the OWASP is much, much better than the previous.  It's much more cautious, you can set a paranoia level and also tell it that a site is a Wordpress or Drupal site.

 

So yes, I agree with your statement pre the v3.0 ruleset, but I no longer think it's true.  I agree you should still monitor closely after deployment, but it's not the nightmare it used to be. 


2655 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1735822 13-Mar-2017 15:33
Send private message

martyyn: Set Wordfence to immediately block anyone using an obvious username (admin, domainname, etc), anyone using an invalid username, including forgotten password attempts, etc.

 

Perhaps have this on a timeout if you can....  to avoid a rushed typo locking you out permanently!





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams



1290 posts

Uber Geek

Subscriber

  # 1735853 13-Mar-2017 16:30
One person supports this post
Send private message

Finally go to talk to someone at the hosts who a) was happy to talk and b) knew what happened on the weekend.

 

It turns out the server we are on was compromised by malware and it looks like it infected us again. They have moved us to another server, have made changes to the server to stop it happening again and I've updated Wordfence which was apparently updated over the weekend for this exact vulnerability.

 

I have Wordfence blocking login attempts from India, Serbia, Croatia, Korea, Italy and Bulgaria at the moment :)

 

Fingers crossed.


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.