Abuse complaint regarding my server

[Georgios Efthymiou]

Hi,

I have the same problem as the one described in this (closed) thread with similar logs. Same hosting provider too.
I searched thoroughly the server and I didn't find infected files or malicious links. I only found "/furanet/sites/" in webalizer logs.

Any help would be much appreciated.

@webmasteryoda how did you solve the problem?

Thank you,
George

 

[webmasteryoda]

SNIFFING OUTGOING TRAFFIC

First, install tcpdump. Than try this:

tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
(incoming and outgoing traffic alltogether)

tcpdump -Q out -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
(outgoing traffic)

tcpdump -Q in -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
(incoming traffic)

top -n 50 -d 0.3 -b > /tmp/aaa15.txt
(top info in a log file)

Than try to examine the data that you receive via tcpdump. Try to disable all accounts and activate them again one by one. My problem was with one infected nulled Wordpress theme. I suspended that account and the problem was solved.

Good luck

 

[Georgios Efthymiou]

I'll check these out and get back with the findings.
Thank you!

 

[cPanelMichael]

Hello @Georgios Efthymiou,

Let us know how it goes.

Thanks!

 

[Georgios Efthymiou]

Hi,

I have suspended an account that Ι suspected it was the "evil" one, before installing tcpdump and informed the VPS provider. The provider told me that the server seemed to be OK then.
However, I don't know the exact problem, I only know that there is some malware running deep inside a WordPress installation of this account.
Furthermore, I have downloaded a backup of this account and now I'm trying to locate the malware localhost.
I avoid unsuspending the account before I find something, because the problem will reoccur and the VPS provider will warn me about closing access again.

In any case, I'll run some tcpdump commands and the let you know about the results in the next few days.

Thank you for your interest,
George

 

[Infopro]

I only know that there is some malware running deep inside a WordPress installation of this account.

You might find this scanner of some use:
Sucuri Security

Of course, the site would need the suspension removed to use that.

 

[Georgios Efthymiou]

Hi,

Infopro thank you for the hint. Neither the online scanner of Sucuri nor the sucuri wordpress plugin found any problem.

However, I managed to find that there was malware inside Wordpress Seo plugin (aka Yoast):
There was a folder named "vendor" and some subfolders that regularly don't exist, named "pimple", "psr", "ruskusing". Especially inside "ruskusing" folder there were PHP, C and even sqlite3 files. I've found it out while searching for hacking files with common names, like 1.php, according to this useful post: smashingmagazine . com /2012/10/four-malware-infections-wordpress.
So I searched for 1.php and I found 001.phpt inside the "pimple" folder and the hack began to unfold.

I cleaned up the database, which was severely infected. In the database where records pointing to external IPs.
Also bear in mind that if there is the "404 to 301" plugin installed, it makes it difficult to trace the redirects.
Furthermore, I uninstalled this plugin and some more, changed WP admin username and password, database name, database user and password, wordpress hashes in wp-config.php and runned new scans.
I don't know what was the exact cause of the problem, because my client hosted the infected website in another company till the end of November. Maybe some nulled plugin or something else, it's hard to tell.

In any case, the commands webmasteryoda suggested were really helpful, because that way one can record the redirects and generated traffic to external domains.

Time will show if the website is fully cleaned or there are backdoors the hackers could use to strike again. Any further advice would be much appreciated.

Thank you,
George