Site keeps on getting hacked - infected files

[JarekN]

So couple of days ago I have upgraded to PHP 7.2 and ever since my main account/site keeps on getting infected. It is running latest version of WordPress with all recent updates and WordFence plugin.

I am noticing new encoded php file, as well as some of existing files being modified to include additional encoded code. I am finding out about it as most of time the files uploaded start to send email junk so I get notifications. That specific WordPress site is set to run using php 7.2, suphp, PHP-FPM. CENTOS 6.9 kvm v68.0.30

Scrip Alert Email
Time: Thu Mar 15 02:34:54 2018 -0400
Path: '/home/USER/public_html/.tmb'
Count: 201 emails sent

Sample of the first 10 emails:

2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]
2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]
2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]
2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]

Prior to that I got LOCALRELAY Alert


Type: LOCALRELAY, Local Account - USER
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2018-03-15 02:27:23 1ewMMF-0007DE-N3 <= [email protected] U=myuser P=local S=1682 [email protected] T="C\363mprate el agrandador de miembro urgentemente" for [email protected]
2018-03-15 02:27:23 1ewMMF-0007DK-Qe <= [email protected] U=myuser P=local S=1674 [email protected] T="C\363mprate el agrandador de miembro urgentemente" for [email protected]


When I looked into that folder I found one encoded php file.

Another file prior to that was:


Time: Tue Mar 13 04:39:52 2018 -0400
Path: '/home/MyUser/public_html/wp-content/plugins/recent-tweets-widget/assets'
Count: 201 emails sent

Sample of the first 10 emails:

2018-03-13 04:31:30 cwd=/home/myuser/public_html/wp-content/plugins/recent-tweets-widget/assets 4 args: /usr/sbin/sendmail -t -i [email protected]

This all started after an update, any ideas what it could be and how can I figure out how the files are created?

 

[cPanelMichael]

Hello,

The following thread is a good place to start when beginning an investigation into the source of a hacked account:

What log files to check after an account gets hacked/defaced?

You may also find the following document helpful:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[sparek-3]

I doubt the PHP 7.2 update has anything to do with this.

You need to find out how these malicious files are getting onto the account.

Are you actually investigating these files or are you just removing them?

You may also want to look at all of the WordPress users that exist on this account. What are their access levels? How strong are their passwords? Are the passwords being changed?

Lately we've seen a lot of WordPress sites hacked because the WordPress administrator chose to use extremely weak passwords. Or other WordPress admin users got created.

You really just have to trace back how the files got there. You may need to hire a server administrator to do this for you.

 

[JarekN]

Only one WP user - password changed recently and very complex.
No new FTP users, password also complex

Two more files found few hours after last cleanup:

• Filename: cause.php
• File Type: Not a core, theme, or plugin file from wordpress.org.
• Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed]
  . The infection type is: A backdoor known as cSR.
  

Link to file [removed]

Second file is:

• Filename: wp-content/cache/minify/df983.js
• File Type: Not a core, theme, or plugin file from wordpress.org.
• Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed]

 

[sparek-3]

OK, you need to investigate how those files came to be on the account.

Review the timestamps of the file.

Review the logs on the account.

I don't have access to all of this, I can't tell you what specifically to do or how to further investigate this. But you need to further investigate this. There is a security hole some where (probably... perhaps the "legitimate" user is uploading these files themselves, I wouldn't advise accusing someone of that without evidence, but it's a possibility).

You may need to bring in an experience server administrator to help you with all of this.

 

[JarekN]

I am the only one with access to the account, so I am sure it's not user uploaded but created in some other way

 

[cPanelMichael]

Hello,

We provide a list of companies offering system administration services should you require the assistance of system administrator to help determine the source of the attack:

System Administration Services | cPanel Forums

Thank you.