lfd suspicious process, then Wordpress is hacked and spam...

drhoo

Member
Sep 8, 2015
5
0
1
London
cPanel Access Level
Root Administrator
Hi,

I have one particular website on my server that is constantly exploited even with the following measures in place:

- No anonymous FTP is allowed
- cPanel password is changed often
- Wordpress and its plugins are latest and with no known vulnerability related to the plugins
- suPHP is in place

Below is an example of the lfd message from CSF firewall which then lead to script uploads and then spam.

Can anyone knowledgeable enough tell me how the hackers can do this and what I can do?

Thank you.

---- LFD message -----
Executable:

/home/userdir/public_html/delta/wp-content/uploads/crond (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.

Command Line (often faked in exploits):
././crond

Network connections by the process (if any):

tcp: SERVER_IP:60653 -> :80
tcp: SERVER_IP:36883 -> :80
tcp: SERVER_IP:44804 -> :80
tcp: SERVER_IP:39482 -> :80
tcp: SERVER_IP:49317 -> :80
tcp: SERVER_IP:51157 -> :80
tcp: SERVER_IP:37451 -> :80
tcp: SERVER_IP:33913 -> :80
tcp: SERVER_IP:56475 -> :80
 
Last edited by a moderator:

drhoo

Member
Sep 8, 2015
5
0
1
London
cPanel Access Level
Root Administrator
Hello Michael,

I'd read that thread before posting mine. I was hoping that someone might be able to point me in the right direction using possible scenarios.

Thanks
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Possible scenarios I can think of;

wp-admin password was weak/compromised.
a plugin was hacked during a vulnerable period of time prior to an update, and malware was left behind even though things are up to date now.

If you have not already, take a look for any recently created files, especially php files, inside of the account. Also run clamscan / maldet on that users public_html directory. Check to see if the user happens to have a crontab as well (crontab -l -u USER)

Have a good look around /home/userdir/public_html/delta/wp-content/uploads/ as well.