Wordpress compromised

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
imadsani
Forum Regular
Forum Regular
Posts: 112
Joined: Mon Sep 16, 2013 10:10 am
Location: Lahore

Wordpress compromised

Unread post by imadsani »

Hello,

I received an email from my DC recently saying that a website I host was compromised. The wordpress site wasn't defaced but I found that the attacker had created various directories at the root with php scripts inside redirecting users elsewhere.

The following is the content of one of the index.php files created:
http://pastebin.com/3LzxCSfd

Amongst several other folders that were created, there is one which has 3,870 php files inside, all with dubious redirection links. Contents of one of them is below:
http://pastebin.com/sCXdV7NV

How did the attacker get through ASL? How can I prevent similar incidents in the future?

I apologize if I sound rude, my intentions are anything but.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Wordpress compromised

Unread post by mikeshinn »

We're sorry to hear that. In most cases this happens when the bad guys simply steal a password and SSH into the system (especially when you see lots and lots of files). Hard to say for sure, but both of these are picked up by the real time malware protection system. Can you tell me what kernel you are using?

If you are using the ASL kernel, can you tell me what directories you have the ASL kernels real-time malware protection system configured to protect and where these files were located?
imadsani
Forum Regular
Forum Regular
Posts: 112
Joined: Mon Sep 16, 2013 10:10 am
Location: Lahore

Re: Wordpress compromised

Unread post by imadsani »

I'm running the ASL kernel.

I just checked, it seems that I had the real time scanner disabled. I run a WHM / cPanel server so all the web directories are located inside /home/. Shall I add this path to the real time scanner?


edit: I ran the malware scanner manually on the directory where I quarantined the compromised files and folders and below is the result of the clam scan

Code: Select all

20150115.024140.clamscan.log

----------- SCAN SUMMARY -----------
Known viruses: 5453749
Engine version: 0.98.5
Scanned directories: 7
Scanned files: 13036
Infected files: 0
Data scanned: 0.35 MB
Data read: 0.18 MB (ratio 1.98:1)
Time: 120.064 sec (2 m 0 s)
edit2: When I said root, I actually meant the the public_html directory of the client (/home/client/public_html/). Apologies for the confusion.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Wordpress compromised

Unread post by mikeshinn »

Thats odd, I definitely can detect the two examples you provided:

[mshinn@localhost malware]$ clamscan 1.php
1.php: Atomicorp.PHP.Malware.012281416345.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 11.972 sec (0 m 11 s)
[mshinn@localhost malware]$ clamscan 2.php
2.php: Atomicorp.PHP.Malware.0122814163449.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5719788
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 10.500 sec (0 m 10 s)

Are there different files in the directories you are scanning perhaps? Could you just tar up the directory and provide us with the URL to download it?
imadsani
Forum Regular
Forum Regular
Posts: 112
Joined: Mon Sep 16, 2013 10:10 am
Location: Lahore

Re: Wordpress compromised

Unread post by imadsani »

Here's a zip of the all the directories I could find: http://128.199.79.58/hacked.tar

edit:It appears my clamav definition database contains fewer signatures than yours, I'm off by 266039 signatures.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Wordpress compromised

Unread post by mikeshinn »

Im definetely seeing all of them detected, perhaps as you said your signatures are out of date? When you run "aum -u" and a clamscan -r on those files do you see them detected on your system?

If not, I wonder if your system is somehow configured to not load the ASL signatures?
imadsani
Forum Regular
Forum Regular
Posts: 112
Joined: Mon Sep 16, 2013 10:10 am
Location: Lahore

Re: Wordpress compromised

Unread post by imadsani »

This is weird, clamscan now reads all the files as malicious after running aum -u. I distinctly remember that the first thing I did after receiving the email from my DC was to update ASL via the GUI.

But my virus definition DB still contains fewer definitions than your post:

Code: Select all

----------- SCAN SUMMARY -----------
[b]Known viruses: 5485872[/b]
Engine version: 0.98.5
Scanned directories: 7
Scanned files: 13036
Infected files: 13036
Data scanned: 0.18 MB
Data read: 0.18 MB (ratio 1.00:1)
Time: 33.539 sec (0 m 33 s)
Post Reply