Site keeps on getting hacked - infected files

JarekN

Registered
Jan 25, 2015
4
0
51
cPanel Access Level
Root Administrator
So couple of days ago I have upgraded to PHP 7.2 and ever since my main account/site keeps on getting infected. It is running latest version of WordPress with all recent updates and WordFence plugin.

I am noticing new encoded php file, as well as some of existing files being modified to include additional encoded code. I am finding out about it as most of time the files uploaded start to send email junk so I get notifications. That specific WordPress site is set to run using php 7.2, suphp, PHP-FPM. CENTOS 6.9 kvm v68.0.30

Scrip Alert Email
Time: Thu Mar 15 02:34:54 2018 -0400
Path: '/home/USER/public_html/.tmb'
Count: 201 emails sent

Sample of the first 10 emails:

2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]
2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]
2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]
2018-03-15 02:27:23 cwd=/home/USER/public_html/.tmb 4 args: /usr/sbin/sendmail -t -i [email protected]

Prior to that I got LOCALRELAY Alert


Type: LOCALRELAY, Local Account - USER
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2018-03-15 02:27:23 1ewMMF-0007DE-N3 <= [email protected] U=myuser P=local S=1682 [email protected] T="C\363mprate el agrandador de miembro urgentemente" for [email protected]
2018-03-15 02:27:23 1ewMMF-0007DK-Qe <= [email protected] U=myuser P=local S=1674 [email protected] T="C\363mprate el agrandador de miembro urgentemente" for [email protected]


When I looked into that folder I found one encoded php file.

Another file prior to that was:


Time: Tue Mar 13 04:39:52 2018 -0400
Path: '/home/MyUser/public_html/wp-content/plugins/recent-tweets-widget/assets'
Count: 201 emails sent

Sample of the first 10 emails:

2018-03-13 04:31:30 cwd=/home/myuser/public_html/wp-content/plugins/recent-tweets-widget/assets 4 args: /usr/sbin/sendmail -t -i [email protected]

This all started after an update, any ideas what it could be and how can I figure out how the files are created?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463

sparek-3

Well-Known Member
Aug 10, 2002
2,021
226
368
cPanel Access Level
Root Administrator
I doubt the PHP 7.2 update has anything to do with this.

You need to find out how these malicious files are getting onto the account.

Are you actually investigating these files or are you just removing them?

You may also want to look at all of the WordPress users that exist on this account. What are their access levels? How strong are their passwords? Are the passwords being changed?

Lately we've seen a lot of WordPress sites hacked because the WordPress administrator chose to use extremely weak passwords. Or other WordPress admin users got created.

You really just have to trace back how the files got there. You may need to hire a server administrator to do this for you.
 
  • Like
Reactions: cPanelMichael

JarekN

Registered
Jan 25, 2015
4
0
51
cPanel Access Level
Root Administrator
Only one WP user - password changed recently and very complex.
No new FTP users, password also complex

Two more files found few hours after last cleanup:
  • Filename: cause.php
  • File Type: Not a core, theme, or plugin file from wordpress.org.
  • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed]
    . The infection type is: A backdoor known as cSR.
Link to file [removed]

Second file is:

  • Filename: wp-content/cache/minify/df983.js
  • File Type: Not a core, theme, or plugin file from wordpress.org.
  • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: [removed]
 

sparek-3

Well-Known Member
Aug 10, 2002
2,021
226
368
cPanel Access Level
Root Administrator
OK, you need to investigate how those files came to be on the account.

Review the timestamps of the file.

Review the logs on the account.

I don't have access to all of this, I can't tell you what specifically to do or how to further investigate this. But you need to further investigate this. There is a security hole some where (probably... perhaps the "legitimate" user is uploading these files themselves, I wouldn't advise accusing someone of that without evidence, but it's a possibility).

You may need to bring in an experience server administrator to help you with all of this.
 
  • Like
Reactions: JarekN