most of the websites defaced

[Nishant80]

Hello,
I noticed that most of the websites using wordpress, joomla are being hacked one by one on one of my servers. I am not entirely sure what could be the reason. Could someone please guide me what needs to be checked / done here?

 

[quizknows]

re: most of the websites defaced

I can pretty much guarantee it was done with symlink hacks. Script kiddies now have auto-deface scripts that will mass-deface all WP and Joomla sites on a cPanel server unless a patch like this one is installed:

See http://forums.cpanel.net/f185/imple...optional-symlink-protection-patch-328431.html

You should install that patch, then restore all infected accounts to a date before the first one was found hacked.

 

[gopkris2005]

re: most of the websites defaced

Try to disable symlinks in your apache configuration and check any vulnerable scripts in your /tmp folder. If possible, check the following php settings and try to implement mod security rules.

/http://www.cpanelkb.net/important-php-security-settings/

 

[sahostking]

Yes, If you don't use cloudlinux then enabled symlink protection in new apache version on EasyApache in cpanel. May help.
Also as gopkris2005 stated ensure mod_Security is installed and working and ensure permissions are correct. Also run /scripts/securetmp on server.

 

[::Gomez::]

Disabling SSH can help? or its useless?

Can you give 5 tips regarding the server/whm to prevent wordpress sites from being hacked?

 

[storminternet]

You should think of how to secure wordpress applications running on server. On shared server there must be several third party applications running. You can not tweak the server for each application. It's better to follow the guidelines from their official website to prevent the hacks.

As far as php security is concerned,

1)Enable suphp
2)Install suhosin
3)Disable malicious php functions
4)Install csf firewall and
5)mod security.

 

[brianoz]

I'd also say that the symlink hacks were probably used to deface your server as a symptom of that attack is widespread hacking. You are going to need to do two things:

1. Mitigate against the attack - read up on it at various places, www,whmscripts.net is one and there are others
- you probably want to change permissions on your PHP files (test on one user first) as well as installing one or more of the patches.

2. Go through and change the database passwords of every user on the system, as well as the email passwords. The entire system has been compromised and most of these passwords will probably have been stolen and are being kept for later use somewhere. Sorry, but if you don't do this the hacks will continue even after you harden the server.

This has been discussed for nearly a year now and it's disappointing to find so many hosts that still don't know about it. If you're upset at cPanel that they haven't done anything to protect you from it, you might want to mention it to them.

 

[24x7server]

Also scan your /home/*/public_html/ directory through Linux Malware Detect (LMD) scanner and detect all CMDSHELL files from your server.