The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF Suspicious Process - Wordpress

Discussion in 'Security' started by Justin Leroux, Aug 18, 2015.

  1. Justin Leroux

    Justin Leroux Registered

    Joined:
    Aug 18, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ontario Canada
    cPanel Access Level:
    Root Administrator
    Good Day,

    I wasn't sure if this should be posted here or on the Wordpress Forums. As a web host I have dealt with malware before, however, as of late one client seems to always be infected.

    The infected are always different and no it doesn't seem to matter if Wordpress is reinstalled, rehashed and the MySQL passwords changed.

    Last night I received 60 messages from CSF containing:

    Code:
    Time: Tue Aug 18 08:39:30 2015 -0400
    PID: 7792 (Parent PID:5275)
    Account: USERNAME
    Uptime: 3722 seconds
    
    
    Executable:
    
    /usr/bin/php
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php /home/USERNAME/public_html/coach4food/wp-includes/SimplePie/Net/lib.php
    
    
    Network connections by the process (if any):
    
    tcp: 168.144.187.84:42278 -> 63.250.192.45:25
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    00400000-00f39000 r-xp 00000000 90:33 202440442 /usr/bin/php
    01138000-01200000 rw-p 00b38000 90:33 202440442 /usr/bin/php
    01200000-01223000 rw-p 00000000 00:00 0
    02d84000-03159000 rw-p 00000000 00:00 0 [heap]
    7f8f17081000-7f8f17086000 r-xp 00000000 90:33 105923824 /lib64/libnss_dns-2.12.so
    7f8f17086000-7f8f17285000 ---p 00005000 90:33 105923824 /lib64/libnss_dns-2.12.so
    7f8f17285000-7f8f17286000 r--p 00004000 90:33 105923824 /lib64/libnss_dns-2.12.so
    7f8f17286000-7f8f17287000 rw-p 00005000 90:33 105923824 /lib64/libnss_dns-2.12.so
    7f8f17287000-7f8f17309000 rw-p 00000000 00:000
    7f8f17309000-7f8f17315000 r-xp 00000000 90:33 105923842 /lib64/libnss_files-2.12.so
    7f8f17315000-7f8f17515000 ---p 0000c000 90:33 105923842 /lib64/libnss_files-2.12.so
    7f8f17515000-7f8f17516000 r--p 0000c000 90:33 105923842 /lib64/libnss_files-2.12.so
    7f8f17516000-7f8f17517000 rw-p 0000d000 90:33 105923842 /lib64/libnss_files-2.12.so
    7f8f17517000-7f8f1751f000 r-xp 00000000 90:33 153619060 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7f8f1751f000-7f8f1771e000 ---p 00008000 90:33 153619060 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7f8f1771e000-7f8f1771f000 rw-p 00007000 90:33 153619060 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7f8f1771f000-7f8f1772c000 r-xp 00000000 90:33 153619064 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
    7f8f1772c000-7f8f1792c000 ---p 0000d000 90:33 153619064 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
    7f8f1792c000-7f8f1792d000 rw-p 0000d000 90:33 153619064 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
    7f8f1792d000-7f8f17931000 r-xp 00000000 90:33 105949090 /lib64/libuuid.so.1.3.0
    7f8f17931000-7f8f17b30000 ---p 00004000 90:33 105949090 /lib64/libuuid.so.1.3.0
    7f8f17b30000-7f8f17b31000 rw-p 0000300090:33 105949090 /lib64/libuuid.so.1.3.0
    7f8f17b31000-7f8f17b57000 r-xp 00000000 90:33 105945626 /lib64/libexpat.so.1.5.2
    7f8f17b57000-7f8f17d56000 ---p 00026000 90:33 105945626 /lib64/libexpat.so.1.5.2
    7f8f17d56000-7f8f17d59000 rw-p 0002500090:33 105945626 /lib64/libexpat.so.1.5.2
    7f8f17d59000-7f8f17d6f000 r-xp 00000000 90:33 105913512 /lib64/libgcc_s-4.4.7-20120601.so.1
    7f8f17d6f000-7f8f17f6e000 ---p 00016000 90:33 105913512 /lib64/libgcc_s-4.4.7-20120601.so.1
    7f8f17f6e000-7f8f17f6f000 rw-p 00015000 90:33 105913512 /lib64/libgcc_s-4.4.7-20120601.so.1
    7f8f17f6f000-7f8f17f86000 r-xp 00000000 90:33 143163948 /usr/lib64/libICE.so.6.3.0
    7f8f17f86000-7f8f18186000 ---p 00017000 90:33 143163948 /usr/lib64/libICE.so.6.3.0
    7f8f18186000-7f8f18187000 rw-p 00017000 90:33 143163948 /usr/lib64/libICE.so.6.3.0
    7f8f18187000-7f8f1818b000 rw-p 00000000 00:000
    7f8f1818b000-7f8f18192000 r-xp 00000000 90:33 143151822 /usr/lib64/libSM.so.6.0.1
    7f8f18192000-7f8f18392000 ---p 00007000 90:33 143151822 /usr/lib64/libSM.so.6.0.1
    7f8f18392000-7f8f18393000 rw-p 00007000 90:33 143151822 /usr/lib64/libSM.so.6.0.1
    7f8f18393000-7f8f183a8000 r-xp 00000000 90:33 143159820 /usr/lib64/libgomp.so.1.0.0
    7f8f183a8000-7f8f185a7000 ---p 00015000 90:33 143159820 /usr/lib64/libgomp.so.1.0.0
    7f8f185a7000-7f8f185a8000 rw-p 00014000 90:33 143159820 /usr/lib64/libgomp.so.1.0.0
    7f8f185a8000-7f8f185b8000 r-xp 00000000 90:33 105944630 /lib64/libbz2.so.1.0.4
    7f8f185b8000-7f8f187b7000 ---p 00010000 90:33 105944630 /lib64/libbz2.so.1.0.4
    7f8f187b7000-7f8f187b9000 rw-p 0000f000 90:33 105944630 /lib64/libbz2.so.1.0.4
    7f8f187b9000-7f8f18818000 r-xp 00000000 90:33 143164094 /usr/lib64/libXt.so.6.0.0
    7f8f18818000-7f8f18a17000 ---p 0005f000 90:33 143164094 /usr/lib64/libXt.so.6.0.0
    7f8f18a17000-7f8f18a1d000 rw-p 0005e000 90:33 143164094 /usr/lib64/libXt.so.6.0.0
    7f8f18a1d000-7f8f18a1e000 rw-p 00000000 00:000
    7f8f18a1e000-7f8f18a2f000 r-xp 00000000 90:33 143164036 /usr/lib64/libXext.so.6.4.0
    7f8f18a2f000-7f8f18c2f000 ---p 00011000 90:33 143164036 /usr/lib64/libXext.so.6.4.0
    7f8f18c2f000-7f8f18c30000 rw-p 00011000 90:33 143164036 /usr/lib64/libXext.so.6.4.0
    7f8f18c30000-7f8f18c64000 r-xp 00000000 90:33 143140936 /usr/lib64/libfontconfig.so.1.4.4
    7f8f18c64000-7f8f18e64000 ---p 00034000 90:33 143140936 /usr/lib64/libfontconfig.so.1.4.4
    7f8f18e64000-7f8f18e66000 rw-p 00034000 90:33 143140936 /usr/lib64/libfontconfig.so.1.4.4
    7f8f18e66000-7f8f18efe000 r-xp 00000000 90:33 143140436 /usr/lib64/libfreetype.so.6.3.22
    7f8f18efe000-7f8f190fd000 ---p 00098000 90:33 143140436 /usr/lib64/libfreetype.so.6.3.22
    7f8f190fd000-7f8f19103000 rw-p 00097000 90:33 143140436 /usr/lib64/libfreetype.so.6.3.22
    7f8f19103000-7f8f19165000 r-xp 00000000 90:33 143140494 /usr/lib64/libtiff.so.3.9.4
    7f8f19165000-7f8f19364000 ---p 00062000 90:33 143140494 /usr/lib64/libtiff.so.3.9.4
    7f8f19364000-7f8f19367000 rw-p 00061000 90:33 143140494 /usr/lib64/libtiff.so.3.9.4
    7f8f19367000-7f8f1939c000 r-xp 00000000 90:33 143164534 /usr/lib64/liblcms.so.1.0.19
    7f8f1939c000-7f8f1959c000 ---p 00035000 90:33 143164534 /usr/lib64/liblcms.so.1.0.19
    7f8f1959c000-7f8f1959e000 rw-p 00035000 90:33 143164534 /usr/lib64/liblcms.so.1.0.19
    7f8f1959e000-7f8f195a0000 rw-p 00000000 00:000
    7f8f195a0000-7f8f1976e000 r-xp 00000000 90:33 143174598 /usr/lib64/libMagickCore.so.2.0.0
    7f8f1976e000-7f8f1996e000 ---p 001ce000 90:33 143174598 /usr/lib64/libMagickCore.so.2.0.0
    7f8f1996e000-7f8f199bf000 rw-p 001ce000 90:33 143174598 /usr/lib64/libMagickCore.so.2.0.0
    7f8f199bf000-7f8f199d8000 rw-p 00000000 00:000
    7f8f199d8000-7f8f19ae0000 r-xp 00000000 90:33 143174602 /usr/lib64/libMagickWand.so.2.0.0
    7f8f19ae0000-7f8f19cdf000 ---p 00108000 90:33 143174602 /usr/lib64/libMagickWand.so.2.0.0
    7f8f19cdf000-7f8f19ce3000 rw-p 00107000 90:33 143174602 /usr/lib64/libMagickWand.so.2.0.0
    7f8f19ce3000-7f8f19d38000 r-xp 00000000 90:33 153618880 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/imagick.so
    7f8f19d38000-7f8f19f37000 ---p 00055000 90:33 153618880 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/imagick.so
    7f8f19f37000-7f8f19f45000 rw-p 00054000 90:33 153618880 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/imagick.so
    7f8f19f45000-7f8f1a02b000 r-xp 00000000 90:33 153619062 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7f8f1a02b000-7f8f1a22a000 ---p 000e6000 90:33 153619062 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7f8f1a22a000-7f8f1a22f000 rw-p 000e5000 90:33 153619062 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7f8f1a22f000-7f8f1a24b000 r-xp 00000000 90:33 153618906 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7f8f1a24b000-7f8f1a44a000 ---p 0001c000 90:33 153618906 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7f8f1a44a000-7f8f1a44d000 rw-p 0001b000 90:33 153618906 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7f8f1a44d000-7f8f1a55d000 r-xp 00000000 90:33 139753112 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7f8f1a55d000-7f8f1a65c000 ---p 00110000 90:33 139753112 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7f8f1a65c000-7f8f1a66c000 rw-p 0010f000 90:33 139753112 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7f8f1a66c000-7f8f1a66f000 rw-p 00000000 00:000
    7f8f1a66f000-7f8f1a68c000 r-xp 00000000 90:33 105947650 /lib64/libselinux.so.1
    7f8f1a68c000-7f8f1a88b000 ---p 0001d000 90:33 105947650 /lib64/libselinux.so.1
    7f8f1a88b000-7f8f1a88c000 r--p 0001c000 90:33 105947650 /lib64/libselinux.so.1
    7f8f1a88c000-7f8f1a88d000 rw-p 0001d000 90:33 105947650 /lib64/libselinux.so.1
    7f8f1a88d000-7f8f1a88e000 rw-p 00000000 00:000
    7f8f1a88e000-7f8f1a890000 r-xp 00000000 90:33 143153438 /usr/lib64/libXau.so.6.0.0
    7f8f1a890000-7f8f1aa90000 ---p 00002000 90:33 143153438 /usr/lib64/libXau.so.6.0.0
    7f8f1aa90000-7f8f1aa91000 rw-p 00002000 90:33 143153438 /usr/lib64/libXau.so.6.0.0
    7f8f1aa91000-7f8f1aa93000 r-xp 00000000 90:33 105939210 /lib64/libkeyutils.so.1.3
    7f8f1aa93000-7f8f1ac92000 ---p 00002000 90:33 105939210 /lib64/libkeyutils.so.1.3
    7f8f1ac92000-7f8f1ac93000 r--p 00001000 90:33 105939210 /lib64/libkeyutils.so.1.3
    7f8f1ac93000-7f8f1ac94000 rw-p 00002000 90:33 105939210 /lib64/libkeyutils.so.1.3
    7f8f1ac94000-7f8f1ac9e000 r-xp 00000000 90:33 105928630 /lib64/libkrb5support.so.0.1
    7f8f1ac9e000-7f8f1ae9d000 ---p 0000a000 90:33 105928630 /lib64/libkrb5support.so.0.1
    7f8f1ae9d000-7f8f1ae9e000 r--p 00009000 90:33 105928630 /lib64/libkrb5support.so.0.1
    7f8f1ae9e000-7f8f1ae9f000 rw-p 0000a000 90:33 105928630 /lib64/libkrb5support.so.0.1
    7f8f1ae9f000-7f8f1aeb6000 r-xp 00000000 90:33 105923962 /lib64/libpthread-2.12.so
    7f8f1aeb6000-7f8f1b0b6000 ---p 00017000 90:33 105923962 /lib64/libpthread-2.12.so
    7f8f1b0b6000-7f8f1b0b7000 r--p 00017000 90:33 105923962 /lib64/libpthread-2.12.so
    7f8f1b0b7000-7f8f1b0b8000 rw-p 0001800090:33 105923962 /lib64/libpthread-2.12.so
    7f8f1b0b8000-7f8f1b0bc000 rw-p 0000000000:00 0
    7f8f1b0bc000-7f8f1b0d9000 r-xp 00000000 90:33 143137116 /usr/lib64/libxcb.so.1.1.0
    7f8f1b0d9000-7f8f1b2d9000 ---p 0001d000 90:33 143137116 /usr/lib64/libxcb.so.1.1.0
    7f8f1b2d9000-7f8f1b2da000 rw-p 0001d000 90:33 143137116 /usr/lib64/libxcb.so.1.1.0
    7f8f1b2da000-7f8f1b2f1000 r-xp 00000000 90:33 105948902 /lib64/libaudit.so.1.0.0
    7f8f1b2f1000-7f8f1b4f1000 ---p 00017000 90:33 105948902 /lib64/libaudit.so.1.0.0
    7f8f1b4f1000-7f8f1b4f2000 r--p 00017000 90:33 105948902 /lib64/libaudit.so.1.0.0
    7f8f1b4f2000-7f8f1b4fd000 rw-p 00018000 90:33 105948902 /lib64/libaudit.so.1.0.0
    7f8f1b4fd000-7f8f1b4ff000 r-xp 00000000 90:33 105950816 /lib64/libfreebl3.so
    7f8f1b4ff000-7f8f1b6fe000 ---p 00002000 90:33 105950816 /lib64/libfreebl3.so
    7f8f1b6fe000-7f8f1b6ff000 r--p 00001000 90:33 105950816 /lib64/libfreebl3.so
    7f8f1b6ff000-7f8f1b700000 rw-p 00002000 90:33 105950816 /lib64/libfreebl3.so
    7f8f1b700000-7f8f1b716000 r-xp 00000000 90:33 105924006 /lib64/libresolv-2.12.so
    7f8f1b716000-7f8f1b916000 ---p 00016000 90:33 105924006 /lib64/libresolv-2.12.so
    7f8f1b916000-7f8f1b917000 r--p 00016000 90:33 105924006 /lib64/libresolv-2.12.so
    7f8f1b917000-7f8f1b918000 rw-p 0001700090:33 105924006 /lib64/libresolv-2.12.so
    7f8f1b918000-7f8f1b91a000 rw-p 0000000000:00 0
    7f8f1b91a000-7f8f1baa4000 r-xp 00000000 90:33 105922230 /lib64/libc-2.12.so
    7f8f1baa4000-7f8f1bca4000 ---p 0018a000 90:33 105922230 /lib64/libc-2.12.so
    7f8f1bca4000-7f8f1bca8000 r--p 0018a000 90:33 105922230 /lib64/libc-2.12.so
    7f8f1bca8000-7f8f1bca9000 rw-p 0018e000 90:33 105922230 /lib64/libc-2.12.so
    7f8f1bca9000-7f8f1bcae000 rw-p 00000000 00:000
    7f8f1bcae000-7f8f1be6d000 r-xp 00000000 90:33 107237352 /opt/xml2/lib/libxml2.so.2.9.2
    7f8f1be6d000-7f8f1c06d000 ---p 001bf000 90:33 107237352 /opt/xml2/lib/libxml2.so.2.9.2
    7f8f1c06d000-7f8f1c077000 rw-p 001bf000 90:33 107237352 /opt/xml2/lib/libxml2.so.2.9.2
    7f8f1c077000-7f8f1c078000 rw-p 00000000 00:000
    7f8f1c078000-7f8f1c0aa000 r-xp 00000000 90:33 105944686 /lib64/libidn.so.11.6.1
    7f8f1c0aa000-7f8f1c2a9000 ---p 00032000 90:33 105944686 /lib64/libidn.so.11.6.1
    7f8f1c2a9000-7f8f1c2aa000 rw-p 00031000 90:33 105944686 /lib64/libidn.so.11.6.1
    7f8f1c2aa000-7f8f1c307000 r-xp 00000000 90:33 106471716 /opt/curlssl/lib/libcurl.so.4.3.0
    7f8f1c307000-7f8f1c506000 ---p 0005d000 90:33 106471716 /opt/curlssl/lib/libcurl.so.4.3.0
    7f8f1c506000-7f8f1c509000 rw-p 0005c000 90:33 106471716 /opt/curlssl/lib/libcurl.so.4.3.0
    7f8f1c509000-7f8f1c50c000 r-xp 00000000 90:33 105944880 /lib64/libcom_err.so.2.1
    7f8f1c50c000-7f8f1c70b000 ---p 00003000 90:33 105944880 /lib64/libcom_err.so.2.1
    7f8f1c70b000-7f8f1c70c000 r--p 00002000 90:33 105944880 /lib64/libcom_err.so.2.1
    7f8f1c70c000-7f8f1c70d000 rw-p 00003000 90:33 105944880 /lib64/libcom_err.so.2.1
    7f8f1c70d000-7f8f1c736000 r-xp 00000000 90:33 105928468 /lib64/libk5crypto.so.3.1
    7f8f1c736000-7f8f1c936000 ---p 00029000 90:33 105928468 /lib64/libk5crypto.so.3.1
    7f8f1c936000-7f8f1c937000 r--p 00029000 90:33 105928468 /lib64/libk5crypto.so.3.1
    7f8f1c937000-7f8f1c938000 rw-p 0002a000 90:33 105928468 /lib64/libk5crypto.so.3.1
    7f8f1c938000-7f8f1c939000 rw-p 00000000 00:000
    7f8f1c939000-7f8f1ca14000 r-xp 00000000 90:33 105928626 /lib64/libkrb5.so.3.3
    7f8f1ca14000-7f8f1cc13000 ---p 000db000 90:33 105928626 /lib64/libkrb5.so.3.3
    7f8f1cc13000-7f8f1cc1d000 r--p 000da000 90:33 105928626 /lib64/libkrb5.so.3.3
    7f8f1cc1d000-7f8f1cc1f000 rw-p 000e4000 90:33 105928626 /lib64/libkrb5.so.3.3
    7f8f1cc1f000-7f8f1cc60000 r-xp 00000000 90:33 105907918 /lib64/libgssapi_krb5.so.2.2
    7f8f1cc60000-7f8f1ce60000 ---p 00041000 90:33 105907918 /lib64/libgssapi_krb5.so.2.2
    7f8f1ce60000-7f8f1ce61000 r--p 00041000 90:33 105907918 /lib64/libgssapi_krb5.so.2.2
    7f8f1ce61000-7f8f1ce63000 rw-p 00042000 90:33 105907918 /lib64/libgssapi_krb5.so.2.2
    7f8f1ce63000-7f8f1ce79000 r-xp 00000000 90:33 105923800 /lib64/libnsl-2.12.so
    7f8f1ce79000-7f8f1d078000 ---p 00016000 90:33 105923800 /lib64/libnsl-2.12.so
    7f8f1d078000-7f8f1d079000 r--p 00015000 90:33 105923800 /lib64/libnsl-2.12.so
    7f8f1d079000-7f8f1d07a000 rw-p 0001600090:33 105923800 /lib64/libnsl-2.12.so
    7f8f1d07a000-7f8f1d07c000 rw-p 00000000 00:000
    7f8f1d07c000-7f8f1d07e000 r-xp 00000000 90:33 105923458 /lib64/libdl-2.12.so
    7f8f1d07e000-7f8f1d27e000 ---p 00002000 90:33 105923458 /lib64/libdl-2.12.so
    7f8f1d27e000-7f8f1d27f000 r--p 00002000 90:33 105923458 /lib64/libdl-2.12.so
    7f8f1d27f000-7f8f1d280000 rw-p 00003000 90:33 105923458 /lib64/libdl-2.12.so
    7f8f1d280000-7f8f1d303000 r-xp 00000000 90:33 105923740 /lib64/libm-2.12.so
    7f8f1d303000-7f8f1d502000 ---p 00083000 90:33 105923740 /lib64/libm-2.12.so
    7f8f1d502000-7f8f1d503000 r--p 00082000 90:33 105923740 /lib64/libm-2.12.so
    7f8f1d503000-7f8f1d504000 rw-p 0008300090:33 105923740 /lib64/libm-2.12.so
    7f8f1d504000-7f8f1d50b000 r-xp 00000000 90:33 105924016 /lib64/librt-2.12.so
    7f8f1d50b000-7f8f1d70a000 ---p 00007000 90:33 105924016 /lib64/librt-2.12.so
    7f8f1d70a000-7f8f1d70b000 r--p 00006000 90:33 105924016 /lib64/librt-2.12.so
    7f8f1d70b000-7f8f1d70c000 rw-p 0000700090:33 105924016 /lib64/librt-2.12.so
    7f8f1d70c000-7f8f1d75e000 r-xp 00000000 90:33 107741704 /opt/pcre/lib/libpcre.so.1.2.4
    7f8f1d75e000-7f8f1d95d000 ---p 00052000 90:33 107741704 /opt/pcre/lib/libpcre.so.1.2.4
    7f8f1d95d000-7f8f1d95e000 rw-p 0005100090:33 107741704 /opt/pcre/lib/libpcre.so.1.2.4
    7f8f1d95e000-7f8f1d99d000 r-xp 00000000 90:33 143140444 /usr/lib64/libjpeg.so.62.0.0
    7f8f1d99d000-7f8f1db9d000 ---p 0003f000 90:33 143140444 /usr/lib64/libjpeg.so.62.0.0
    7f8f1db9d000-7f8f1db9e000 rw-p 0003f000 90:33 143140444 /usr/lib64/libjpeg.so.62.0.0
    7f8f1db9e000-7f8f1dbae000 rw-p 0000000000:00 0
    7f8f1dbae000-7f8f1dbd3000 r-xp 00000000 90:33 143164382 /usr/lib64/libpng12.so.0.49.0
    7f8f1dbd3000-7f8f1ddd3000 ---p 00025000 90:33 143164382 /usr/lib64/libpng12.so.0.49.0
    7f8f1ddd3000-7f8f1ddd4000 rw-p 0002500090:33 143164382 /usr/lib64/libpng12.so.0.49.0
    7f8f1ddd4000-7f8f1dde5000 r-xp 00000000 90:33 143163890 /usr/lib64/libXpm.so.4.11.0
    7f8f1dde5000-7f8f1dfe4000 ---p 00011000 90:33 143163890 /usr/lib64/libXpm.so.4.11.0
    7f8f1dfe4000-7f8f1dfe5000 rw-p 00010000 90:33 143163890 /usr/lib64/libXpm.so.4.11.0
    7f8f1dfe5000-7f8f1e11c000 r-xp 00000000 90:33 143164256 /usr/lib64/libX11.so.6.3.0
    7f8f1e11c000-7f8f1e31c000 ---p 00137000 90:33 143164256 /usr/lib64/libX11.so.6.3.0
    7f8f1e31c000-7f8f1e322000 rw-p 00137000 90:33 143164256 /usr/lib64/libX11.so.6.3.0
    7f8f1e322000-7f8f1e32e000 r-xp 00000000 90:33 105948914 /lib64/libpam.so.0.82.2
    7f8f1e32e000-7f8f1e52e000 ---p 0000c000 90:33 105948914 /lib64/libpam.so.0.82.2
    7f8f1e52e000-7f8f1e52f000 r--p 0000c000 90:33 105948914 /lib64/libpam.so.0.82.2
    7f8f1e52f000-7f8f1e530000 rw-p 0000d000 90:33 105948914 /lib64/libpam.so.0.82.2
    7f8f1e530000-7f8f1e592000 r-xp 00000000 90:33 143150358 /usr/lib64/libssl.so.1.0.1e
    7f8f1e592000-7f8f1e791000 ---p 00062000 90:33 143150358 /usr/lib64/libssl.so.1.0.1e
    7f8f1e791000-7f8f1e795000 r--p 00061000 90:33 143150358 /usr/lib64/libssl.so.1.0.1e
    7f8f1e795000-7f8f1e79c000 rw-p 00065000 90:33 143150358 /usr/lib64/libssl.so.1.0.1e
    7f8f1e79c000-7f8f1e955000 r-xp 00000000 90:33 143150352 /usr/lib64/libcrypto.so.1.0.1e
    7f8f1e955000-7f8f1eb54000 ---p 001b9000 90:33 143150352 /usr/lib64/libcrypto.so.1.0.1e
    7f8f1eb54000-7f8f1eb6f000 r--p 001b8000 90:33 143150352 /usr/lib64/libcrypto.so.1.0.1e
    7f8f1eb6f000-7f8f1eb7b000 rw-p 001d3000 90:33 143150352 /usr/lib64/libcrypto.so.1.0.1e
    7f8f1eb7b000-7f8f1eb7f000 rw-p 00000000 00:000
    7f8f1eb7f000-7f8f1eb88000 r-xp 00000000 90:33 143157502 /usr/lib64/libltdl.so.7.2.1
    7f8f1eb88000-7f8f1ed87000 ---p 00009000 90:33 143157502 /usr/lib64/libltdl.so.7.2.1
    7f8f1ed87000-7f8f1ed88000 rw-p 00008000 90:33 143157502 /usr/lib64/libltdl.so.7.2.1
    7f8f1ed88000-7f8f1edc2000 r-xp 00000000 90:33 114087578 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7f8f1edc2000-7f8f1efc1000 ---p 0003a000 90:33 114087578 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7f8f1efc1000-7f8f1efc5000 rw-p 00039000 90:33 114087578 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7f8f1efc5000-7f8f1efca000 rw-p 00000000 00:000
    7f8f1efca000-7f8f1efdf000 r-xp 00000000 90:33 105948644 /lib64/libz.so.1.2.3
    7f8f1efdf000-7f8f1f1de000 ---p 00015000 90:33 105948644 /lib64/libz.so.1.2.3
    7f8f1f1de000-7f8f1f1df000 r--p 00014000 90:33 105948644 /lib64/libz.so.1.2.3
    7f8f1f1df000-7f8f1f1e0000 rw-p 00015000 90:33 105948644 /lib64/libz.so.1.2.3
    7f8f1f1e0000-7f8f1f1e7000 r-xp 00000000 90:33 105922780 /lib64/libcrypt-2.12.so
    7f8f1f1e7000-7f8f1f3e7000 ---p 00007000 90:33 105922780 /lib64/libcrypt-2.12.so
    7f8f1f3e7000-7f8f1f3e8000 r--p 00007000 90:33 105922780 /lib64/libcrypt-2.12.so
    7f8f1f3e8000-7f8f1f3e9000 rw-p 00008000 90:33 105922780 /lib64/libcrypt-2.12.so
    7f8f1f3e9000-7f8f1f417000 rw-p 00000000 00:000
    7f8f1f417000-7f8f1f437000 r-xp 00000000 90:33 105936584 /lib64/ld-2.12.so
    7f8f1f488000-7f8f1f62a000 rw-p 00000000 00:000
    7f8f1f635000-7f8f1f636000 rw-p 00000000 00:000
    7f8f1f636000-7f8f1f637000 r--p 0001f000 90:33 105936584 /lib64/ld-2.12.so
    7f8f1f637000-7f8f1f638000 rw-p 00020000 90:33 105936584 /lib64/ld-2.12.so
    7f8f1f638000-7f8f1f639000 rw-p 00000000 00:000
    7fffc2c41000-7fffc2c56000 rw-p 00000000 00:000 [stack]
    7fffc2d45000-7fffc2d47000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:000 [vsyscall]
    
    I am using both Pyxsoft and ClamAV. According the Pyxsoft it is a {HEX}.php.base64.v23au.183.

    I am at a loss here. Wordpress has been updated, all plugins are recognized and reliable. The malware has jumped to all of the users Wordpress sites.

    Thanks in advance,
     
    #1 Justin Leroux, Aug 18, 2015
    Last edited by a moderator: Aug 18, 2015
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Updating only helps so much after the fact. Once one WP site on an account is infected, it is trivial for the hacker to infect any addon domains or other installations. This is one of the main reasons I generally advise against heavy use of addon domains; it is far more secure to put each domain in its own cPanel account to separate the user privileges.

    If you are not experienced in cleaning hacked sites you may wish to either completely reinstall and rebuild the site, or hire a professional to analyse and clean the infection if possible.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page