Hello,
I received an email from my DC recently saying that a website I host was compromised. The wordpress site wasn't defaced but I found that the attacker had created various directories at the root with php scripts inside redirecting users elsewhere.
The following is the content of one of the index.php files created:
http://pastebin.com/3LzxCSfd
Amongst several other folders that were created, there is one which has 3,870 php files inside, all with dubious redirection links. Contents of one of them is below:
http://pastebin.com/sCXdV7NV
How did the attacker get through ASL? How can I prevent similar incidents in the future?
I apologize if I sound rude, my intentions are anything but.
Wordpress compromised
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Wordpress compromised
We're sorry to hear that. In most cases this happens when the bad guys simply steal a password and SSH into the system (especially when you see lots and lots of files). Hard to say for sure, but both of these are picked up by the real time malware protection system. Can you tell me what kernel you are using?
If you are using the ASL kernel, can you tell me what directories you have the ASL kernels real-time malware protection system configured to protect and where these files were located?
If you are using the ASL kernel, can you tell me what directories you have the ASL kernels real-time malware protection system configured to protect and where these files were located?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Wordpress compromised
I'm running the ASL kernel.
I just checked, it seems that I had the real time scanner disabled. I run a WHM / cPanel server so all the web directories are located inside /home/. Shall I add this path to the real time scanner?
edit: I ran the malware scanner manually on the directory where I quarantined the compromised files and folders and below is the result of the clam scan
edit2: When I said root, I actually meant the the public_html directory of the client (/home/client/public_html/). Apologies for the confusion.
I just checked, it seems that I had the real time scanner disabled. I run a WHM / cPanel server so all the web directories are located inside /home/. Shall I add this path to the real time scanner?
edit: I ran the malware scanner manually on the directory where I quarantined the compromised files and folders and below is the result of the clam scan
Code: Select all
20150115.024140.clamscan.log
----------- SCAN SUMMARY -----------
Known viruses: 5453749
Engine version: 0.98.5
Scanned directories: 7
Scanned files: 13036
Infected files: 0
Data scanned: 0.35 MB
Data read: 0.18 MB (ratio 1.98:1)
Time: 120.064 sec (2 m 0 s)
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Wordpress compromised
Thats odd, I definitely can detect the two examples you provided:
[mshinn@localhost malware]$ clamscan 1.php
1.php: Atomicorp.PHP.Malware.012281416345.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 11.972 sec (0 m 11 s)
[mshinn@localhost malware]$ clamscan 2.php
2.php: Atomicorp.PHP.Malware.0122814163449.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 10.500 sec (0 m 10 s)
Are there different files in the directories you are scanning perhaps? Could you just tar up the directory and provide us with the URL to download it?
[mshinn@localhost malware]$ clamscan 1.php
1.php: Atomicorp.PHP.Malware.012281416345.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 11.972 sec (0 m 11 s)
[mshinn@localhost malware]$ clamscan 2.php
2.php: Atomicorp.PHP.Malware.0122814163449.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 10.500 sec (0 m 10 s)
Are there different files in the directories you are scanning perhaps? Could you just tar up the directory and provide us with the URL to download it?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Wordpress compromised
Here's a zip of the all the directories I could find: http://128.199.79.58/hacked.tar
edit:It appears my clamav definition database contains fewer signatures than yours, I'm off by 266039 signatures.
edit:It appears my clamav definition database contains fewer signatures than yours, I'm off by 266039 signatures.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Wordpress compromised
Im definetely seeing all of them detected, perhaps as you said your signatures are out of date? When you run "aum -u" and a clamscan -r on those files do you see them detected on your system?
If not, I wonder if your system is somehow configured to not load the ASL signatures?
If not, I wonder if your system is somehow configured to not load the ASL signatures?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Wordpress compromised
This is weird, clamscan now reads all the files as malicious after running aum -u. I distinctly remember that the first thing I did after receiving the email from my DC was to update ASL via the GUI.
But my virus definition DB still contains fewer definitions than your post:
But my virus definition DB still contains fewer definitions than your post:
Code: Select all
----------- SCAN SUMMARY -----------
[b]Known viruses: 5485872[/b]
Engine version: 0.98.5
Scanned directories: 7
Scanned files: 13036
Infected files: 13036
Data scanned: 0.18 MB
Data read: 0.18 MB (ratio 1.00:1)
Time: 33.539 sec (0 m 33 s)