2 websites same reseller not showing - infected?

[coolemail]

Can someone help? On Saturday night 2 domains for one client became unavailable. I've done some digging to try and find out why. It looks like the header.php and index.php files are there, but are also hidden or missing:

Code: Select all

[plesk3.hostname.co.uk ~]# locate header.php | grep hosted-domain | more
...
/var/www/vhosts/hosted-domain.com/httpdocs/wp-content/themes/hosted-domain2/header.php
...

and this is the header for the home page. But when I try to look at it, it is not there

Code: Select all

[plesk3.hostname.co.uk ~]# cat /var/www/vhosts/hosted-domain.com/httpdocs/wp-content/themes/hosted-domain2/header.php
cat: /var/www/vhosts/hosted-domain.com/httpdocs/wp-content/themes/hosted-domain2/header.php: No such file or directory

and it is not listed on the folder either for some reason:

Code: Select all

[plesk3.hostname.co.uk ~]# ls -l /var/www/vhosts/hosted-domain.com/httpdocs/wp-content/themes/hosted-domain2
total 220
-rw-r--r-- 1 hosted-domain-ftp psacln   305 Jul  6  2012 404.php
-rw-r--r-- 1 hosted-domain-ftp psacln  3108 Jul  6  2012 archive.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2212 Jul  6  2012 category-10.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2263 Jul  6  2012 category-1103.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2203 Jul  6  2012 category-3.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2234 Jul  6  2012 category-4.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2233 Jul  6  2012 category-5893.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2215 Jul  6  2012 category-5.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2212 Jul  6  2012 category-6.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2236 Jul  6  2012 category-7.php
-rw-r--r-- 1 hosted-domain-ftp psacln  3694 Jul  6  2012 comments.php
-rw-r--r-- 1 hosted-domain-ftp psacln  4717 Jul  6  2012 comments-popup.php
-rw-r--r-- 1 hosted-domain-ftp psacln  3042 Feb 26 22:08 footer.php
-rw-r--r-- 1 hosted-domain-ftp psacln 21562 Jan 22 09:06 functions.php
-rw-r--r-- 1 hosted-domain-ftp psacln  1591 Jul  9  2012 google-search.php
-rw-r--r-- 1 hosted-domain-ftp psacln  2495 Jul  6  2012 image.php
drwxr-xr-x 2 hosted-domain-ftp psacln  4096 Dec 14 11:18 images
-rw-r--r-- 1 hosted-domain-ftp psacln  4138 Jul  6  2012 index.php
-rw-r--r-- 1 hosted-domain-ftp psacln   316 Jul  6  2012 links.php
-rw-r--r-- 1 hosted-domain-ftp psacln   800 Jul  6  2012 page.php
-rw-r--r-- 1 hosted-domain-ftp psacln 64186 Jul  6  2012 screenshot.png
-rw-r--r-- 1 hosted-domain-ftp psacln   680 Jul  9  2012 searchform.php
-rw-r--r-- 1 hosted-domain-ftp psacln  1473 Jul  9  2012 search.php
-rw-r--r-- 1 hosted-domain-ftp psacln  3561 Jul  6  2012 sidebar.php
-rw-r--r-- 1 hosted-domain-ftp psacln  3345 Jul  6  2012 single.php
-rw-r--r-- 1 hosted-domain-ftp psacln 25389 Jul  9  2012 style.css
[plesk3.hostname.co.uk ~]#

Can someone help with what might have happened? It looks like the domain has got a virus possibly.

I have tried to run and output a clamscan report, but it is either very slow or not working:

Code: Select all

[plesk3.hostname.co.uk ~]# clamscan -r /var/www/vhosts/hosted-domain.com/httpdocs | grep FOUND >> /var/www/vhosts/hosted-domain.com/report/clamscan-report.txt

[prupert]

The files are probably deleted, check your FTP logs.

Tip: "locate" does not search real-time, it uses a database that gets updated once every night.

[biggles]

Tip: "locate" does not search real-time, it uses a database that gets updated once every night.

Or you could manully update it with the command "updatedb"

Or use the find command...

[coolemail]

Thank you both for your help. How do I look at the contents of
/usr/local/psa/var/log/xferlog.processed.2.gz
because
/usr/local/psa/var/log/xferlog relates only to today and I need to know what happened on Saturday night?

It seems as if some script or somthing has stripped lots of files

[coolemail]

I have looked at /usr/local/psa/var/log/xferlog.processed and there is a mass of FTP traffic that evening like.

Code: Select all

Sat Apr 06 20:14:55 2013 0 111.222.333.444 377 /var/www/vhosts/hosted-domain.com/httpdocs/wp-content/upgrade/newsletter.tmp/newsletter/emails/themes/linear/theme-options.php b _ i r hosted-domain-ftp ftp 0 * c

Is there somewhere I can see the IP address(es) that successfully log on to the domain/customer account etc? Or does it give any clue as to what may have happened - did their username/password simply get compromised?

[prupert]

Thank you both for your help. How do I look at the contents of
/usr/local/psa/var/log/xferlog.processed.2.gz

It is a gzipped (compressed) file. Use zcat, zgrep etc. to open the files for reading.

I have looked at /usr/local/psa/var/log/xferlog.processed and there is a mass of FTP traffic that evening like.
[...]
Is there somewhere I can see the IP address(es) that successfully log on to the domain/customer account etc? Or does it give any clue as to what may have happened - did their username/password simply get compromised?

The first IP address listed in the log line is the IP address of the FTP client.

I am not sure why you believe there account is compromised. If you have reason to do so, at least change the passwords immediately.

[coolemail]

Thank you Pim,
That IP address - 111.222.333.444 is the IP address where their domain is hosted. We only thought they had become compromised because they did nothing themselves, but the website "vanished" between 2300-2359 hrs that day. And on server, the files were missing. In Wordpress admin login all their articles were there but nothing on the website itself.
They have already changed all their passwords.

We did also find a lot of entries in /var/log/messages like the following - does the first line give any idea?:

Code: Select all

[b]Apr  6 23:07:29 plesk3 proftpd[3447]: 111.222.333.444 (198.101.248.172[198.101.248.172]) - Preparing to chroot to directory '/var/www/vhosts/hosted-domain.com'[/b] 
Apr  6 23:23:27 plesk3 clamd[10561]: /var/www/vhosts/hosted-domain.com/httpdocs/index.php: Atomicorp.PHP.ObfusTrojan.190703202159.UNOFFICIAL FOUND
Apr  6 23:23:27 plesk3 proftpd[3447]: 111.222.333.444 (198.101.248.172[198.101.248.172]) - mod_clamav/0.11rc: Virus 'Atomicorp.PHP.ObfusTrojan.190703202159.UNOFFICIAL' found in '/var/www/vhosts/hosted-domain.com/httpdocs/index.php' 
Apr  6 23:23:30 plesk3 clamd[10561]: /var/www/vhosts/hosted-domain.com/httpdocs/wp-content/themes/classic/header.php: Atomicorp.PHP.ObfusTrojan.190703202159.UNOFFICIAL FOUND
Apr  6 23:23:30 plesk3 proftpd[3447]: 111.222.333.444 (198.101.248.172[198.101.248.172]) - mod_clamav/0.11rc: Virus 'Atomicorp.PHP.ObfusTrojan.190703202159.UNOFFICIAL' found in '/var/www/vhosts/hosted-domain.com/httpdocs/wp-content/themes/classic/header.php'  

[coolemail]

Further to my last, I may have found it - could it be that 198.101.248.172 hacked their account?

Code: Select all

[plesk3.hostname.co.uk ~]# grep -R "Login successful" /var/log | grep Apr | grep hosted-domain | more
/var/log/secure:Apr  2 08:55:04 plesk3 proftpd[6565]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  2 08:55:04 plesk3 proftpd[6566]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  5 16:04:57 plesk3 proftpd[24150]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  5 16:04:57 plesk3 proftpd[24154]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  6 20:14:52 plesk3 proftpd[10583]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  6 20:14:53 plesk3 proftpd[10585]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
[u][b]/var/log/secure:Apr  6 23:07:29 plesk3 proftpd[3447]: 111.222.333.444 (198.101.248.172[198.101.248.172]) - USER hosted-domain-ftp: Login successful. [/b][/u]
/var/log/secure:Apr  7 15:45:14 plesk3 proftpd[6983]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  7 15:45:15 plesk3 proftpd[6985]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  7 15:54:34 plesk3 proftpd[8215]: 111.222.333.444 (5.70.58.39[5.70.58.39]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  7 15:56:17 plesk3 proftpd[8447]: 111.222.333.444 (111.222.333.444[111.222.333.444]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  7 23:51:44 plesk3 proftpd[16509]: 111.222.333.444 (174.121.246.162[174.121.246.162]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  8 10:37:14 plesk3 proftpd[25393]: 111.222.333.444 (5.70.58.39[5.70.58.39]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  8 10:39:32 plesk3 proftpd[26329]: 111.222.333.444 (109.156.179.234[109.156.179.234]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  8 10:57:57 plesk3 proftpd[3293]: 111.222.333.444 (5.70.58.39[5.70.58.39]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  8 11:51:41 plesk3 proftpd[30345]: 111.222.333.444 (5.70.58.39[5.70.58.39]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  8 11:52:41 plesk3 proftpd[30972]: 111.222.333.444 (5.70.58.39[5.70.58.39]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  8 12:02:09 plesk3 proftpd[8434]: 111.222.333.444 (5.70.58.39[5.70.58.39]) - USER hosted-domain-ftp: Login successful. 
/var/log/secure:Apr  8 13:59:09 plesk3 proftpd[22169]: 111.222.333.444 (5.70.58.39[5.70.58.39]) - USER hosted-domain-ftp: Login successful. 
[plesk3.emailitis.co.uk ~]#

and I think the proof is in the ftp logs:

Sat Apr 06 23:27:02 2013 2 198.101.248.172 5456 /var/www/vhosts/hosted-domain.com/subdomains/forum/httpdocs/forums/clientscript/vbulletin_quick_reply.js a _ o r hosted-domain-ftp ftp 0 * c

[prupert]

It appears that their FTP account was compromised. The password might have been guessed, or stolen from the client (using malware), or may have been unintentionally given away, or stored in plain-text in a publicly accessible file etc. Make sure to revert any changes that have been made since the FTP attacks began.

It appears that the ASL realtime upload scanners (via ClamAV) already blocked some uploads, but some mala fide uploads may have slipped through. Restore from a known clean backup and make sure the security of the website and client is proper before giving access again.

[coolemail]

The client initiated downloading a 5GB file on the Plesk backup and it has made websites and mail be unavailable.

top command is fine and shell access. Can you help me find what to stop to cancel this server-end? It is making the server load climb up.

[coolemail]

Sorted! The high server load was only very temporary.