Getting screwed over, need urgent help.

Nishant80

Well-Known Member
May 7, 2012
64
0
56
cPanel Access Level
Root Administrator
Hi,
Since about a week we have been getting LOT of complaints from our datacenter about a few of our webs holding phishing pages, shells, deface pages etc etc. I have tried clamav, maldet but they don't seem to help a lot.

I just got another complaint. The site is not EXACTLY defaced, but it has a "hacked" page uploaded inside
Code:
wp-content/themes/twentyten/x.php
Not to mention the site is using wordpress. My question is, how can I check when and how this file was uploaded?

And what can I do to prevent these things?
 

jerrybell

Well-Known Member
Nov 27, 2006
90
0
156
Hi,
Not to mention the site is using wordpress. My question is, how can I check when and how this file was uploaded?

And what can I do to prevent these things?
you could try looking at the timestamp of the file, though it's conceivable that has been altered.

Most likely, the WP sites are running old versions of WP or plugins that are vulnerable to attack. Keeping them updated is probably the most effective way to prevent this, but that will likely be challenging. Mass updating of wordpress is pretty simple - there are a lot of scripts out there to do that. There aren't many for updating plugins, though. php-cli is one that looks promising, though I haven't played with it.

Other than that, compiling apache with suhosin will help some. Be sure you're not running mod_php or have something in place (like mod_ruid2) to keep one site compromise from allowing an attacker to drop exploit code on all sites you host.

There's no 100% solution.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
With WordPress, it's usually an old version actually. They don't need to steal passwords when WordPress has easily exploitable old versions that haven't been updated. Scanning frequently for out-of-date WordPress installs and informing the customer they need to update is the best course of action. If they don't update and get hacked, charging them to restore from a backup would work out well, since they were already informed and now you have to do the work they didn't do.