We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
[Solved] Lots of hacked websites on my server
[Solved] Lots of hacked websites on my server
Hi,
Since few days, I have a lots of hosted websites hacked.
There are under differents CMS and even static websites (without PHP, only HTML+CSS) are hacked.
The hack looks like this :
- few bad files are created on the website root, in addition of normal ones :
- inside start.php for exemple, there is something like this : http://pb.spheerys.fr/?7419df4cc74396b2 ... m6fWj9UsI=
- if I remove theses files, there are created quickly (during next 24h)
- my debian system is up to date
I'm posting here because I don't know where the problem comes from. Usually, it's coming from CMS code, but here, even static websites are attacked...
Any idea ?
Since few days, I have a lots of hosted websites hacked.
There are under differents CMS and even static websites (without PHP, only HTML+CSS) are hacked.
The hack looks like this :
- few bad files are created on the website root, in addition of normal ones :
Code: Select all
/public_html ll
total 304K
-rw-r--r-- 1 Hedy Hedy 9,5K sept. 20 22:03 ajax.php
drwxr-xr-x 7 Hedy Hedy 4,0K nov. 15 15:48 assets
-rw-r--r-- 1 Hedy Hedy 131 nov. 15 15:48 config.core.php
drwxr-xr-x 4 Hedy Hedy 4,0K sept. 20 22:03 connectors
drwx------ 13 Hedy Hedy 4,0K sept. 20 22:09 core
-rw-r--r-- 1 Hedy Hedy 3,5K nov. 15 15:48 ht.access
-rw-r--r-- 1 Hedy Hedy 20K nov. 15 15:48 index.php
-rw-r--r-- 1 Hedy Hedy 11K sept. 20 22:03 start.php
-rw-r--r-- 1 Hedy Hedy 38K nov. 16 00:56 w25607563n.php
-rw-r--r-- 1 Hedy Hedy 38K nov. 16 00:46 w51627241n.php
-rw-r--r-- 1 Hedy Hedy 35K nov. 15 23:56 w54198906n.php
-rw-r--r-- 1 Hedy Hedy 38K nov. 16 00:18 w59127723n.php
-rw-r--r-- 1 Hedy Hedy 35K nov. 15 23:24 w59425529n.php
-rw-r--r-- 1 Hedy Hedy 35K nov. 15 22:56 w62533273n.php
- if I remove theses files, there are created quickly (during next 24h)
- my debian system is up to date
I'm posting here because I don't know where the problem comes from. Usually, it's coming from CMS code, but here, even static websites are attacked...
Any idea ?
Last edited by Spheerys on Thu Nov 17, 2016 2:05 pm, edited 1 time in total.
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Lots of hacked websites on my server
Oh Sad to know...
The solution is not easy... anyways :
1. Are all Sites under the same VestaCP User ?
2. Are these sites hosted under the "admin" VestaCP user?
3. is your SSH Secured with Keys ?
4. How many Wordpress sites do you host ? are they uptodate with plugins/themes ?
The solution is not easy... anyways :
1. Are all Sites under the same VestaCP User ?
2. Are these sites hosted under the "admin" VestaCP user?
3. is your SSH Secured with Keys ?
4. How many Wordpress sites do you host ? are they uptodate with plugins/themes ?
Re: Lots of hacked websites on my server
1) for the moment, yes : I only see problem on my main user
2) no, I don't use admin user
3) yes I connect to my server with ssh key only (no password)
4) not to much, but at least 3 or 4. I will dig in this way because one of it sending a lot of spam.
So if it'is this WP website, I suppose the malware can write everywhere else on the home user directory to put is bullshit, because of the user right.
This is explain why I'm finding malware files everywhere didn't it ?
2) no, I don't use admin user
3) yes I connect to my server with ssh key only (no password)
4) not to much, but at least 3 or 4. I will dig in this way because one of it sending a lot of spam.
So if it'is this WP website, I suppose the malware can write everywhere else on the home user directory to put is bullshit, because of the user right.
This is explain why I'm finding malware files everywhere didn't it ?
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Lots of hacked websites on my server
yes... so if you suspect a site to be compromised, you can for the moment remove it on your server or atleast put it into a new user with proper basedir restrcition
Re: Lots of hacked websites on my server
OK I have found the hacked website (the one under worpress, obviously).
I'm a little bit disappointed by the right management under VestaCP because on my old control panel (i-MSCP Omega), each user has closed under is own account.
Under VestaCP, it is more laborious (for the daily management) to create a user per website.
But we can...
I'm a little bit disappointed by the right management under VestaCP because on my old control panel (i-MSCP Omega), each user has closed under is own account.
Under VestaCP, it is more laborious (for the daily management) to create a user per website.
But we can...
Re: [Solved] Lots of hacked websites on my server
Even though you solved to problem, have a look at php Malicious Code Scanner, which you could schedule as a cron job. Or even Linux Malware Detect.