Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Site keeps on getting hacked - infected files

Discussion in 'Security' started by JarekN, Mar 15, 2018.

  1. JarekN

    JarekN Registered

    Joined:
    Jan 25, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    So couple of days ago I have upgraded to PHP 7.2 and ever since my main account/site keeps on getting infected. It is running latest version of WordPress with all recent updates and WordFence plugin.

    I am noticing new encoded php file, as well as some of existing files being modified to include additional encoded code. I am finding out about it as most of time the files uploaded start to send email junk so I get notifications. That specific WordPress site is set to run using php 7.2, suphp, PHP-FPM. CENTOS 6.9 kvm v68.0.30

    Scrip Alert Email
    Time: Thu Mar 15 02:34:54 2018 -0400
    Path: '/home/USER/public_html/.tmb'
    Count: 201 emails sent

    Sample of the first 10 emails:

    2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fcrista.d@mydomain.com
    2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fcrista.d@mydomain.com
    2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fcrista.d@mydomain.com
    2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i -fmelita.i@mydomain.com

    Prior to that I got LOCALRELAY Alert


    Type: LOCALRELAY, Local Account - USER
    Count: 101 emails relayed
    Blocked: No

    Sample of the first 10 emails:

    2018-03-15 02:27:23 1ewMMF-0007DE-N3 <= crista.d@mydomain.com U=myuser P=local S=1682 id=b6514e3a646ebf841b6ef43417b81f24@mydomain.com T="C\363mprate el agrandador de miembro urgentemente" for test@hotmail.es
    2018-03-15 02:27:23 1ewMMF-0007DK-Qe <= melita.i@mydomain.com U=myuser P=local S=1674 id=48a2b0413a77caf71758c091857b1796@mydomain.com T="C\363mprate el agrandador de miembro urgentemente" for test@yahoo.es


    When I looked into that folder I found one encoded php file.

    Another file prior to that was:


    Time: Tue Mar 13 04:39:52 2018 -0400
    Path: '/home/MyUser/public_html/wp-content/plugins/recent-tweets-widget/assets'
    Count: 201 emails sent

    Sample of the first 10 emails:

    2018-03-13 04:31:30 cwd=/home/myuser/public_html/wp-content/plugins/recent-tweets-widget/assets 4 args: /usr/sbin/sendmail -t -i -fcatherine.w@mydomain.com

    This all started after an update, any ideas what it could be and how can I figure out how the files are created?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,762
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I doubt the PHP 7.2 update has anything to do with this.

    You need to find out how these malicious files are getting onto the account.

    Are you actually investigating these files or are you just removing them?

    You may also want to look at all of the WordPress users that exist on this account. What are their access levels? How strong are their passwords? Are the passwords being changed?

    Lately we've seen a lot of WordPress sites hacked because the WordPress administrator chose to use extremely weak passwords. Or other WordPress admin users got created.

    You really just have to trace back how the files got there. You may need to hire a server administrator to do this for you.
     
    cPanelMichael likes this.
  4. JarekN

    JarekN Registered

    Joined:
    Jan 25, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Only one WP user - password changed recently and very complex.
    No new FTP users, password also complex

    Two more files found few hours after last cleanup:
    • Filename: cause.php
    • File Type: Not a core, theme, or plugin file from wordpress.org.
    • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed]
      . The infection type is: A backdoor known as cSR.
    Link to file [removed]

    Second file is:

    • Filename: wp-content/cache/minify/df983.js
    • File Type: Not a core, theme, or plugin file from wordpress.org.
    • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed]
     
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,762
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    OK, you need to investigate how those files came to be on the account.

    Review the timestamps of the file.

    Review the logs on the account.

    I don't have access to all of this, I can't tell you what specifically to do or how to further investigate this. But you need to further investigate this. There is a security hole some where (probably... perhaps the "legitimate" user is uploading these files themselves, I wouldn't advise accusing someone of that without evidence, but it's a possibility).

    You may need to bring in an experience server administrator to help you with all of this.
     
    JarekN likes this.
  6. JarekN

    JarekN Registered

    Joined:
    Jan 25, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am the only one with access to the account, so I am sure it's not user uploaded but created in some other way :(
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    We provide a list of companies offering system administration services should you require the assistance of system administrator to help determine the source of the attack:

    System Administration Services | cPanel Forums

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice