Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Compromised site files with incorrect date

Discussion in 'Security' started by belvinip, Apr 21, 2019.

  1. belvinip

    belvinip Registered

    Joined:
    Apr 21, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    melbourne
    cPanel Access Level:
    Website Owner
    Hi,

    my WordPress websites are hacked daily as well as the some other domain directory without website init, random .php files are uploaded/injected. Also some wp code files, like index, wp-config, wp-setting, are injected with extra encrypted code, I am quick to delete the problematic code manually but it comes back the next day every day. I am sick of it.

    We are changing all FTP, wordpress, c-panels passwords to very difficult one, updating plugins, delete all free plugins do whatever i can, but can't identify the problem that how the random .php files has been created, or avoid it.

    The most interesting fact is that all the malicious php files created on the day were stated that the "Last Modified Date" was long times ago. For example, yesterday i check the website, I deleted all malicious files and php code, all clean, it's all good. This morning, some malicious php files were created with the Last Modified date of, e.g. 20 Dec 218. How's that possible?

    I am wondering if it is possible to see how the .php files are being injected?
    how they are being added to the account?
    would the logs help me see where it's coming from? if so, where can i find the log? thanks
    what is the most effective way to avoid them?

    See screen capture:

    Plz see the screen capture files
     

    Attached Files:

    • 1.png
      1.png
      File size:
      222.9 KB
      Views:
      5
    • 2.png
      2.png
      File size:
      331.9 KB
      Views:
      5
    • 3.png
      3.png
      File size:
      260.4 KB
      Views:
      5
    • 4.png
      4.png
      File size:
      348.5 KB
      Views:
      5
    • 5.png
      5.png
      File size:
      326 KB
      Views:
      5
    • code.png
      code.png
      File size:
      197.6 KB
      Views:
      5
    #1 belvinip, Apr 21, 2019
    Last edited by a moderator: Apr 21, 2019
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,485
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    The most important thing to do that you have not mentioned is updating all wordpress core, themes and plugins for every site. An outdated wordpress is trivial to exploit and do all the things you are seeing.

    In addition to the listed updates, a lot of themes come with commercial plugins, such as revolution slider, that will not list an update even if there is one without purchasing a license for the plugin.

    Once you've had a compromise like this, just updating the wordpress isn't enough. You could very easily be missing a malware script buried in a site somewhere that is like a php shell which gives the attacker way too much access to the all the sites on the server potentially, depending on how you have things set up.

    Since you are listed as a 'website owner' I presume that you do not have root level access, so you may have to engage the support of your host because if cross site attacks are possible, there are things they can do to prevent this.

    You might want to consider getting a service like Sucuri that will not only protect your sites from attack, but perform clean ups on them as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and rpvw like this.
  3. belvinip

    belvinip Registered

    Joined:
    Apr 21, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    melbourne
    cPanel Access Level:
    Website Owner
    Hi,

    Thanks so much for ur reply and useful suggestions.

    I did actually updated all themes and plugins even revolution sliderrs. And yes, i am using both Sucuri and Wordfence, they are helpful to identify the issue and help to delete it, but its not preventing the issue, so i really want to prevent this.

    When u mentioned "root level access", so i mean the c-panel access? I do hv full c-panel and ftp access, like setting permissions

    I hv couple of specific questions:

    With C-panel, can i not allow the the sites inject php files to other websites ditectory? Current i hv a few websites under my c-panel. And the malicious scripts are injected across different website. Not sure anything to do with the permission. My permission setting is 755 for directory and 644 for all files.

    And, is there any clue that, why the Last Modified Date is like what i said?

    And, is there any ways i can identify the malicious php files were created in relation to which plugin?
     
  4. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,485
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Since it sounds like all these domains are under the same account, they are therefore the same user and as such, once on areaa of your account gets compromised, they have access to the entire account.

    Since you are using Sucuri, have you submitted the site for cleanup? They should be able to identify and clean all infected files.

    As for file modification date, that is trivial for the hackers to modify to fake you out.

    https://www.thegeekstuff.com/2012/11/linux-touch-command/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,470
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I cannot stress enough how important the advice @GOT provided here is:

    This is also great advice:

    But ultimately if you're still experiencing an issue after trying all of these I'd suggest enlisting the assistance of a qualified system administrator if you don't have one you might find one here: System Administration Services | cPanel Forums

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice