Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

WordPress compromised Issue

Discussion in 'E-mail Discussion' started by Mohammad Abu Musa, Oct 23, 2015.

  1. Mohammad Abu Musa

    Mohammad Abu Musa Registered

    Joined:
    Oct 23, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai, Amman
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a hacked WordPress site, where the attacker managed to exploit mailing system using php code, I cleaned the code but it seems the website is not responding as it used to be (http://example.com/website)

    I went through the logs and seems the php process is being killed, I can not figure out the issue

    Code:
    Oct 23 07:07:41 srvrnme lfd[46958]: *Suspicious Process* PID:46217 PPID:29512 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:07:41 srvrnme lfd[46958]: *User Processing* PID:46920 Kill:0 User:usernme VM:245(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:07:41 srvrnme lfd[46958]: *User Processing* PID:46905 Kill:0 User:usernme VM:261(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:08:41 srvrnme lfd[47294]: *Suspicious Process* PID:46605 PPID:41522 User:usernme Uptime:114 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:08:41 srvrnme lfd[47294]: *Suspicious Process* PID:46855 PPID:35891 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:09:41 srvrnme lfd[47837]: *Suspicious Process* PID:47213 PPID:29156 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:09:41 srvrnme lfd[47837]: *User Processing* PID:47657 Kill:0 User:usernme VM:273(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin.php
    Oct 23 07:10:41 srvrnme lfd[48098]: *Suspicious Process* PID:47758 PPID:44027 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:10:42 srvrnme lfd[48098]: *User Processing* PID:48004 Kill:0 User:usernme VM:277(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:11:42 srvrnme lfd[48550]: *Suspicious Process* PID:48055 PPID:47692 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:11:42 srvrnme lfd[48546]: *Email Queue* The exim delivery queue size is 85987
    Oct 23 07:12:42 srvrnme lfd[48834]: *Suspicious Process* PID:48498 PPID:46614 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:13:42 srvrnme lfd[49101]: *Suspicious Process* PID:48785 PPID:43139 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:13:57 srvrnme lfd[49334]: *Exceeded LOCALRELAY limit* from nfp (101 in the last hour)
    Oct 23 07:14:42 srvrnme lfd[49470]: *Suspicious Process* PID:48977 PPID:44027 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:15:42 srvrnme lfd[49635]: *Suspicious Process* PID:49444 PPID:41522 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:15:42 srvrnme lfd[49635]: *User Processing* PID:49628 Kill:0 User:usernme VM:245(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:16:42 srvrnme lfd[50157]: *Suspicious Process* PID:49596 PPID:29156 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:16:43 srvrnme lfd[50155]: *Suspicious File* /tmp/index.php [usernme:usernme (508:506)] - Script, file extension 
    
     
    #1 Mohammad Abu Musa, Oct 23, 2015
    Last edited by a moderator: Oct 23, 2015
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,786
    Likes Received:
    82
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Your are not facing this issues due to LFD, I think your site is still infected with the malware and due to that it's not working. I will suggest you scan your site with Sucuri Security and install Wordfence Security plugins on your site to protect your site from malware attack
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    358
    Likes Received:
    4
    Trophy Points:
    168
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Yes, agree, PHP can't kill itself. Something is messing things in the middle, must be some more scripts or some scripts might be missing. I would search for "eval(" string (How to find hacker files - Norsk Webhotell og Domener) or try to run index.php from shell.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,672
    Likes Received:
    1,788
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to consider reinstalling the application instead of cleaning the affected code to ensure it's not still exploited.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    358
    Likes Received:
    4
    Trophy Points:
    168
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Reinstalling is always the best, but sometimes it's not possible to do quickly. Also not always upgrades are straight-forward. Therefore as temporary solution I suggested cleaning the files. We also always set all subfolders of public_html to readonly mode, so vulnerable plugins can't do more harm, but page is still up.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice