The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress compromised Issue

Discussion in 'E-mail Discussions' started by Mohammad Abu Musa, Oct 23, 2015.

  1. Mohammad Abu Musa

    Mohammad Abu Musa Registered

    Joined:
    Oct 23, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dubai, Amman
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a hacked WordPress site, where the attacker managed to exploit mailing system using php code, I cleaned the code but it seems the website is not responding as it used to be (http://example.com/website)

    I went through the logs and seems the php process is being killed, I can not figure out the issue

    Code:
    Oct 23 07:07:41 srvrnme lfd[46958]: *Suspicious Process* PID:46217 PPID:29512 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:07:41 srvrnme lfd[46958]: *User Processing* PID:46920 Kill:0 User:usernme VM:245(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:07:41 srvrnme lfd[46958]: *User Processing* PID:46905 Kill:0 User:usernme VM:261(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:08:41 srvrnme lfd[47294]: *Suspicious Process* PID:46605 PPID:41522 User:usernme Uptime:114 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:08:41 srvrnme lfd[47294]: *Suspicious Process* PID:46855 PPID:35891 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:09:41 srvrnme lfd[47837]: *Suspicious Process* PID:47213 PPID:29156 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:09:41 srvrnme lfd[47837]: *User Processing* PID:47657 Kill:0 User:usernme VM:273(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin.php
    Oct 23 07:10:41 srvrnme lfd[48098]: *Suspicious Process* PID:47758 PPID:44027 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:10:42 srvrnme lfd[48098]: *User Processing* PID:48004 Kill:0 User:usernme VM:277(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:11:42 srvrnme lfd[48550]: *Suspicious Process* PID:48055 PPID:47692 User:usernme Uptime:75 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:11:42 srvrnme lfd[48546]: *Email Queue* The exim delivery queue size is 85987
    Oct 23 07:12:42 srvrnme lfd[48834]: *Suspicious Process* PID:48498 PPID:46614 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:13:42 srvrnme lfd[49101]: *Suspicious Process* PID:48785 PPID:43139 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:13:57 srvrnme lfd[49334]: *Exceeded LOCALRELAY limit* from nfp (101 in the last hour)
    Oct 23 07:14:42 srvrnme lfd[49470]: *Suspicious Process* PID:48977 PPID:44027 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:15:42 srvrnme lfd[49635]: *Suspicious Process* PID:49444 PPID:41522 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:15:42 srvrnme lfd[49635]: *User Processing* PID:49628 Kill:0 User:usernme VM:245(MB) EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/wp-admin/admin-ajax.php
    Oct 23 07:16:42 srvrnme lfd[50157]: *Suspicious Process* PID:49596 PPID:29156 User:usernme Uptime:76 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/usernme/public_html/website/index.php
    Oct 23 07:16:43 srvrnme lfd[50155]: *Suspicious File* /tmp/index.php [usernme:usernme (508:506)] - Script, file extension 
    
     
    #1 Mohammad Abu Musa, Oct 23, 2015
    Last edited by a moderator: Oct 23, 2015
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Your are not facing this issues due to LFD, I think your site is still infected with the malware and due to that it's not working. I will suggest you scan your site with Sucuri Security and install Wordfence Security plugins on your site to protect your site from malware attack
     
  3. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Yes, agree, PHP can't kill itself. Something is messing things in the middle, must be some more scripts or some scripts might be missing. I would search for "eval(" string (How to find hacker files - Norsk Webhotell og Domener) or try to run index.php from shell.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to consider reinstalling the application instead of cleaning the affected code to ensure it's not still exploited.

    Thank you.
     
  5. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Reinstalling is always the best, but sometimes it's not possible to do quickly. Also not always upgrades are straight-forward. Therefore as temporary solution I suggested cleaning the files. We also always set all subfolders of public_html to readonly mode, so vulnerable plugins can't do more harm, but page is still up.
     
Loading...

Share This Page