The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd suspicious process, then Wordpress is hacked and spam...

Discussion in 'Security' started by drhoo, Sep 8, 2015.

  1. drhoo

    drhoo Member

    Joined:
    Sep 8, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Hi,

    I have one particular website on my server that is constantly exploited even with the following measures in place:

    - No anonymous FTP is allowed
    - cPanel password is changed often
    - Wordpress and its plugins are latest and with no known vulnerability related to the plugins
    - suPHP is in place

    Below is an example of the lfd message from CSF firewall which then lead to script uploads and then spam.

    Can anyone knowledgeable enough tell me how the hackers can do this and what I can do?

    Thank you.

    ---- LFD message -----
    Executable:

    /home/userdir/public_html/delta/wp-content/uploads/crond (deleted)

    The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.

    Command Line (often faked in exploits):
    ././crond

    Network connections by the process (if any):

    tcp: SERVER_IP:60653 -> :80
    tcp: SERVER_IP:36883 -> :80
    tcp: SERVER_IP:44804 -> :80
    tcp: SERVER_IP:39482 -> :80
    tcp: SERVER_IP:49317 -> :80
    tcp: SERVER_IP:51157 -> :80
    tcp: SERVER_IP:37451 -> :80
    tcp: SERVER_IP:33913 -> :80
    tcp: SERVER_IP:56475 -> :80
     
    #1 drhoo, Sep 8, 2015
    Last edited by a moderator: Sep 8, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. drhoo

    drhoo Member

    Joined:
    Sep 8, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    I'd read that thread before posting mine. I was hoping that someone might be able to point me in the right direction using possible scenarios.

    Thanks
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Possible scenarios I can think of;

    wp-admin password was weak/compromised.
    a plugin was hacked during a vulnerable period of time prior to an update, and malware was left behind even though things are up to date now.

    If you have not already, take a look for any recently created files, especially php files, inside of the account. Also run clamscan / maldet on that users public_html directory. Check to see if the user happens to have a crontab as well (crontab -l -u USER)

    Have a good look around /home/userdir/public_html/delta/wp-content/uploads/ as well.
     
  5. drhoo

    drhoo Member

    Joined:
    Sep 8, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Thanks Quizknows.
     
Loading...

Share This Page