Compromised wordpress and file permissions question

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
I have a site on my server that keeps getting hacked. Various files get changed. i have already changed my password and the site admin has changed his but it has happened again. I have the plugins below. I am wondering if folder permissions are good enough. For example the wordpress includes folder is at 755, can this be improved without preventing the site from working? can a "simple" user account change files?


- Removed-
 
Last edited by a moderator:

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
OK great, I guess I'll have to go off and learn on my own.... before I get hacked again. I was hoping for a quick answer on file/folder permissions. I have already noticed that if I install wordpress through cPanel it sets some files with different permissions to an independant install. Who ever is doing this came back over night and did more damage than they did before despite having wordfence installed. The site runs wordpress as a forum as well and i found a user - the last one to register with a dubious name and email so deleted it. But this was a simple user, how were they able to modify over 100 files as a simple user? Before I become an amateur expert in security after this site is obliterated the most obvious course of action is to make sure all files are locked down and not open to modification. The only thing I can think of is that this user being a user had enough permission to modify wordpress files.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
Here are some links that might help :

How to Clean a Hacked WordPress Site using Wordfence - Wordfence
FAQ My site was hacked « WordPress Codex

........ and probably one of the most relevant :

How To Find & Fix A Backdoor In Hacked WordPress Site?

Regarding your file permissions, I believe that cPanel requires /public_html folders to be 755 and files to be 644.

Changing the file permissions to say 444 (read only) may seem like a good idea to stop the files from being corrupted again, but may break cPanel from being able to display the site, and does not address the problem of how someone got access to corrupt the files in the first place.

Fix the problem ....... not the symptom ! Someone is already in your house - locking the doors now wont achieve much o_O
 
Last edited:
  • Like
Reactions: cPanelMichael

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
If you have done "all you can" but your Wordpress site is still getting compromised, you have obviously not done "everything that might be necessary", so I would suggest that now would be the time to take advantage of paid support from the Wordfence Site cleaning service, and/or from some other reliable and competent source.

Passing the blame onto Wordpress (or cPanel) security is not going to resolve your issues, and if Wordpress did have a fundamental security flaw in its' core code, we would be seeing reports coming in from tens of thousands of sites (which we are NOT) so it is safe to assume your issue was caused by something you have on your server/site - and was most likely the result of the Wordpress core files, or a Wordpress plugin or theme, not being updated in a timely manner by the webmaster, and a miscreant taking advantage of a known and published security flaw.

Remember that once someone has established a back door into an account (and it may not necessarily be the account that hosts the Wordpress site) they may install a web-shell or other RAT code that may enable them to manipulate any account or files on the server at will - they may even be able to elevate their privileges to root or near-root levels.

Unless you are running a special environment that cages your users into their own areas, you should not dismiss the possibility that a server exploit may have escaped the account that you are seeing the changed files in, or may have come in from another direction altogether.

If you are not comfortable with performing a forensic examination of your server and sites to pinpoint the source of the exploit ingress, and then take whatever subsequent actions may be appropriate, you should probably seek commercial expert help.

Sorry for the bad news - but I hope you get your issues resolved satisfactorily :)
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
I was not blaming anyone, simply saying that I have indeed exhausted the wordfence capabilities and it is time to make sure wordpress is also secure. I warned the user against a wordpress based forum but he would not listen. His plugins appear to be all reputable ones.
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
Well no further modifications to any of the site files.

I am looking at the server security and under a cPHulk brute force protection page I see a country blacklist/whitelist. What does this apply to? any access to the server including just viewing the websites or is this just log in's to cPanel? all of my customers are UK based.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
cPHulk will provide protection against brute force logins to the following services :
  • cPanel services (Port 2083).
  • WHM services (Port 2087).
  • Mail services (Dovecot and Exim).
  • The PureFTPd service.
  • Secure Shell (SSH) access.
cPHulk is NOT a firewall in itself, although you can configure it to write to your firewall if a brute force protection is triggered.

Given the inaccuracies of ALL the geolocation IP lists, it is certainly useful to have a country list to enable/disable, but one cannot absolutely rely on it (and of course all your miscreants would need to do would be to connect via a blind proxy in a whitelisted country !) and this will not block any exploits that are as a result of a Wordpress administrative login anyway.

cPHulk Brute Force Protection - Version 74 Documentation - cPanel Documentation

A far more useful service against all sorts of potential exploits is ModSecurity™ I have found that the OWASP ModSecurity Core Rule Set V3.0 is really very good, and will protect all your clients sites against a wide variety of exploit attempts, including most XSS and injection attempts.

ModSecurity Tools - Version 74 Documentation - cPanel Documentation

Some sites may require certain ModSec rules to be disabled, and for that I would recommend using the free ConfigServer ModSecurity Control plugin which will allow you to disable target rules for certain users (or globally if necessary)

ConfigServer ModSecurity Control (cmc)

Hope this helps.
 
  • Like
Reactions: cPanelMichael

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
OK, well it is a start as all of my users are in the UK, I have been looking at the logs for traffic in wordfence and indeed a few from russia and vietnam, pakistan. They all try to log straight into a certain post or user profile from the main page which means it's not a normal human visitor as they all try to go directly to unapproved forum posts or now deleted user accounts without going through site links ie they are returning spammers to what they put there before. Some try to directly log in to accounts previously setup that have not been activated.

However as you suggest a small minority appear to be in the UK, for all I know these may even be from bots set up on other hacked UK servers or as you suggest someone using a proxy. So no I am not expecting to solve it all with a blacklist but plenty of people from dodgy countries that have no business accessing anything other than the public websites are happily not disguising their location and blocking the bigger offending countries outside of europe will at least make them work harder or not bother if it's a simpler attack.
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
Oh and as for not blaming cPanel or wordpress, wordpress was designed to make setting websites up easy for anyone, I see plenty of advice against using it for a forum and this would seem correct, I have even been warned in the past of the security of wordpress itself, I still don't know how they got in as nothing silly was done.

My WHM has warned of plenty of critical problems with..... itself. It would appear that WHM is installed by choice with many of it's own recommendations not in place. But then of course at every turn I am urged to buy cloud linux and plenty of companies some recommended by cPanel offer to fix hacked websites and lets face it by seasoned and experienced when they refer to their teams they mean that given that they are constantly fixing the same system clearly once you learn to deal with one hack type you can have plenty of success using the same method on the same type on many websites.

I'm sure the simple actions I took on behalf of my haked user would have commanded a couple of hundred dollars or more from one of these so called experts.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
I am delighted to see you have resolved your issues.

So that we can all make sure our users do not suffer from the same vulnerabilities, perhaps you could share with the community exactly how your site got hacked and what malware (if any) was installed that was altering the files on your users Wordpress site, or how the hackers kept on altering the files after all the passwords had been changed ? and, of course, exactly how you cleaned or disinfected the server/website and subsequently secured it ?
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
Well I'm not sure what it was but they were trying to redirect people to another site to enter login details i think. i simply replaced the altered files with original copies prom wordpress and the plugins. I installed wordfence and followed all of the recomendations, i have set fairly tight restrictions on the blocking of users that get their log in details wrong.

As i said i still don't know how they got in, the only way i can explain the second attack if I have truly stopped them was that the other admin user took too long to change his password. I have enabled the WHM brute force prevention settings that you suggested as well as black list all non European countries.

i removed the xmlrpc.php API from all wordpress sites, I don't know if that is how they were guessing their way in in the first place as it bypasses what security wordpress has.

If it's any consolation to the "experts" another user has gone to his site and found it all ready to install wordpress again so it's not all over yet :(

there was no malware istalled per se they modified just about every java script file they could get their hands on.
 
Last edited by a moderator:

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
3 wordpress sites have been reduced to blank copies of wordpress ready for reinstall, wonder how that happened, oh yea, cPanel ship WHM with no security enabled. Modsecurity has picked up various attacks since this morning with a list of nearly 100 entries, naturally in classic linux style information is scant, I have no ida if the log is telling me this bad stuff happened or if it was blocked. Thanks to the bog standard installation these people just walked in!
 

Infopro

Well-Known Member
May 20, 2003
17,090
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm sorry to hear you're having these security issues.

If you wouldn't mind, please visit this area in your WebHost Manager and see if that check comes up with any security issues:
WebHost Manager »Security Center »Security Advisor

If any come up red, what are they?

Assuming you now have ConfigServer firewall installed, please visit this area in WebHost Manager:
WebHost Manager »Plugins »ConfigServer Security & Firewall

Click, Check Server Security.

If any come up red, what are they?

If you prefer you don't have to do this.

they modified just about every java script file they could get their hands on.
Your site(s) has clearly been compromised, going by this comment. If you're unsure of how to clean up this sort of issue, please contact your Hosting Provider for help or suggestions. Or, you might consider looking into hiring an expert to assist you. Here are a few suggestions:
System Administration Services | cPanel Forums

If you know for sure which account is the one having the issues, I suggest you suspend it. That should prevent anyone but you from having access to its file system until you can sort these issues out.

Assuming you've got proper backups enabled, you might be able to restore the account from a backup prior to the issues, and then take a closer look at the files and directories on that account. You might be looking at the file and directory dates in the plugins directories for example. Oddly named directories or files with recent dates, that sort of thing.

If the user on this account can be reached, ask them if they've installed any new add-ons in the past 6 months or so. If they say no, and something on that account has new dates stamp, you might have something to go on. If they've installed an addon or new style, what is it, is it up to date, and did they install a pirated version possibly?



wordpress was designed to make setting websites up easy for anyone
This is true. But, there is more to all of this than installing a few scripts and add-ons and away you go. Assuming you're managing your own server, you might consider moving to a managed server. You can find some of the best, Managed services providers from cPanel Partners using this search page:
The Hosting Platform of Choice | cPanel, Inc.

My apologies I can't help more but compromised sites/servers require an expert admin with direct access to the system to sort out. If it can be sorted out.

GL with this.
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
Apache vhosts are not segmented or chroot()ed.Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.

I have disabled the shell access full stop so I don't know why this is an issue. i assume jailed means enabled but with restrictions ?, The tweak setting is greyed out and so I can't do anything with it. i am not on cloud linux.

The second issue is double dutch to me. I suspect that thanks to the total lack of security meaning the actual bundled security was not enabled these people just walked into every account on the server with a brute force attack. Thanks a bunch. The reason i bought a commercial solution was with the expectation that i was purchasing something fit for use and not some hacked together freeware thing where again i need to hire experts.

It's even complaining about the password strengths! the default ones set up by cPanel!!!!

Last time i tried installing a third party firewall it nearly locked me out of my own server because a user trying to access emails over a none STARTTLS connection was upsetting it and his iphone gave him no options.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @Thunderchild,

It's unfortunate to see that one of your accounts was compromised. That's never a good experience, and not knowing the source of the attack can be unsettling. I'd like to help get you moving forward in the right direction.

Do you happen to know which version of WordPress was installed? One of the more common targets for hackers are outdated installations with unpatched vulnerabilities. If it was a brute force attack, the following thread includes some useful discussion on how to help prevent those in the future:

wp-login.php and mod security

Apache vhosts are not segmented or chroot()ed.Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”
Here's a thread where this option is discussed in more detail:

Apache vhosts are not segmented or chroot()ed

Feel free to respond to that post if you have any additional questions about that particular option and we can continue the discussion there.

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.
Generally the best approach to address this warning is to add the following line to the /etc/my.cnf file so that MySQL does not listen to connections on all interfaces:

Code:
bind-address=127.0.0.1
Last time i tried installing a third party firewall it nearly locked me out of my own server because a user trying to access emails over a none STARTTLS connection was upsetting it and his iphone gave him no options.
Do you happen to remember the name of the firewall application you installed? The most common one we see used with cPanel & WHM is CSF by ConfigServer. I'm happy to help troubleshoot any issues that arise post-installation if you'd like to give this one a shot.

Thank you.
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
The first site to be compromised was up to date wordpress wise but on logging in some plugins did require updating but this site has only been live for a few months so nothing was drastically out of date. Wordpress updates itself these days if it is a minor update.
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator
Hello @Thunderchild,

Do you happen to remember the name of the firewall application you installed? The most common one we see used with cPanel & WHM is CSF by ConfigServer. I'm happy to help troubleshoot any issues that arise post-installation if you'd like to give this one a shot.

Thank you.
Yea that one. It made no sense to me. My provider has a firewall but apparently it's not much cop.
 

Thunderchild

Well-Known Member
Jan 28, 2018
86
3
8
UK
cPanel Access Level
Root Administrator