Hacked websites and VestaCP

[Spheerys]

Hi,

On one server which run VestaCP, I'm hosting several customer's websites.
Since a while, I have found malwares hidden inside php files.
These malwares/scripts are probably sending spam, or whorse, are used to make fishing.

On the apache logs, I have this kind of requests :

Code: Select all

45.40.167.2 - - [20/Oct/2017:21:01:07 +0200] "POST /wp-includes/js/thickbox/fvbnbyts.php HTTP/1.0" 404 48933 "http://website.fr/wp-includes/js/thickbox/fvbnbyts.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) 195.231.225.143 - - [20/Oct/2017:21:29:04 +0200] "GET /happen.php?utm_source=opoewi71hlys&utm_medium=rye6e454w7s8&utm_campaign=afra9cds3t1m&utm_term=7nlvpgn927tv&utm_content=42t8l06rpfjnhh HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
195.231.225.143 - - [20/Oct/2017:21:32:26 +0200] "GET /happen.php?utm_source=nlc44iytsyb1&utm_medium=kbenxi0kvvyq&utm_campaign=ieo6sy78kmrm&utm_term=5blw2idxph57&utm_content=q0mdk59b8yjcws HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
195.231.225.143 - - [20/Oct/2017:21:32:27 +0200] "GET /happen.php?utm_source=nlc44iytsyb1&utm_medium=kbenxi0kvvyq&utm_campaign=ieo6sy78kmrm&utm_term=5blw2idxph57&utm_content=q0mdk59b8yjcws HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

As example, inside the happen.php file, there is encrypted code (it's not a trap, it's just a pastebin of the content of the file) : https://pb.spheerys.fr/?b2744134ad3bc1b ... nLOM8r6YM=

The malware can take several form : it can inject encrypted piece of code inside usefull php file, such as wp-config.php (for a Wordpress website).

It can also rename a real index.html file to index.html.bak.bak, AND create a index.php file which run malicious encrypted code AND load my original code from index.html.bak.bak

I don't know if the malware is the same or if there are several ones.

Worse : I have found malicious php files inside public_html directory of another website which only contain html files (flat website) !
At first glance, this kind of "pollution" is closed to a user (but I have to investigate more).

For now, I'm looking for the vector attack, but it's not an easy job (probably from a Wordpress or Joomla website ^^) !
I'm generally cleaning malicious php code when I found it : I have found some caracteristic pattern to find some, but probably not all !


So I have few questions :
- Am I the only one to have this kind of problems ?
- Do you have any idea to find the vector attack ?
- How can I detect efficiently new attacks if possible in realtime ?
- Do you know how to definively protect my server from thoses attacks ?
- Do you think the all server could be compromised, only original hacked website or all websites from a user ?
- With my old panel system (imscp-omega), each website was owned by a unique unix user, so I never get "pollution" and I could easily find the "hacked website". But VestaCP is using differently the Users, which could owned several websites on a same account : is there a way to improve the security and contain more efficiently a CMS security hole ?

Thanks a lot for your help.

[skamasle]

I think you have security issues in your wordpress

/wp-includes/js/thickbox/fvbnbyts.php

This is common files in hacked sites, maybe bugs in plugins or themes

[Spheerys]

Yes of course this file is the visible part of the iceberg.
It's not "my" website (but a customer one) but I can easily delete it.
The point is it will be recreated elsewhere later, with another random name.
And I didn't found the way to found which extension is corrupted...
Not sure at all than in this case the thickbox extension is corrupted...

[BaDTaG]

Well i moved a few sites from a cpanel server to my vestacp server becaus of malware.
It hasent gotten better by moving to vestacp and also not worse.
what has become easier is remove it. i just run a maldet scan look at report and fix it.
i have come to find that most is becaus of old plugins not updated. remove old plugins and install wordfence and also GOTMLS.
wordfence i use to p rotect and get reports. GOTMLS to remove it if i use wordpress.

But most important thing is update your wordpress and plugins. any plugin that dosent get regular updates u shuld find an alternativ one to use! or code that fungtion yourself.

[mehargags]

Sad to hear about your problem, it has happened to all of us many a times. It is important to understand how exactly the malicious code spread across the other sites. One biggest possible reason that has been discussed alot is NOT TO HOST any website (especially WordPress) under VestaCP user Admin, because it has elevated privileges.

Second, rule of thumb, do NOT host more than 2-3 sites inside one Vesta user. I know Vesta now has basedir protection for each website, yet "permissions" on linux system depend on the user. It is better to keep userland different and separate for websites, probably one user - one website approach if your WP sites seem vulnerable.

Secondly, WP sites can have a lot of vulnerabilities as in the installed plugins and themes, more if using nulled pkgs. But still I have seen alot of popular themes on Themeforest having vulnerable content and injectionable JS libraries used that can be used to hack WP sites. Tracing exact source is big work and a process in itself.

[Spheerys]

Well i moved a few sites from a cpanel server to my vestacp server becaus of malware.
It hasent gotten better by moving to vestacp and also not worse.
what has become easier is remove it. i just run a maldet scan look at report and fix it.
i have come to find that most is becaus of old plugins not updated. remove old plugins and install wordfence and also GOTMLS.
wordfence i use to p rotect and get reports. GOTMLS to remove it if i use wordpress.

Thanks for advices :)

But most important thing is update your wordpress and plugins. any plugin that dosent get regular updates u shuld find an alternativ one to use! or code that fungtion yourself.

The point is I'm not the own
er of thoses websites, so I only can suspend them until the owner act correctly...

Sad to hear about your problem, it has happened to all of us many a times. It is important to understand how exactly the malicious code spread across the other sites. One biggest possible reason that has been discussed alot is NOT TO HOST any website (especially WordPress) under VestaCP user Admin, because it has elevated privileges.

I don't used admon account to host website :)

Second, rule of thumb, do NOT host more than 2-3 sites inside one Vesta user. I know Vesta now has basedir protection for each website, yet "permissions" on linux system depend on the user. It is better to keep userland different and separate for websites, probably one user - one website approach if your WP sites seem vulnerable.

That was my personnal conclusion, and I'm happy to see than I'm not the only one to had it ^^

Secondly, WP sites can have a lot of vulnerabilities as in the installed plugins and themes, more if using nulled pkgs. But still I have seen alot of popular themes on Themeforest having vulnerable content and injectionable JS libraries used that can be used to hack WP sites. Tracing exact source is big work and a process in itself.

Same conclusion...

I jsut discovered maldet and make a big cleaning, followed be daily scan.
I hope this will keep clean my server, but I have to continue looking for the real hacked website to "definitly" stop the "pollution".

[mehargags]

I jsut discovered maldet and make a big cleaning, followed be daily scan.
I hope this will keep clean my server, but I have to continue looking for the real hacked website to "definitly" stop the "pollution".

Yes, with Maldet you are cleaning the problems, not the source or cause. If your WP sites continue to be vulnerable, the attacks will keep on increasing, to an extent that your server will go down before you can detect and run maldet and clean them. I hope you also know Maldet puts severe load on your CPU/RAM and can cause problems in peak times when your sites are having simultaneous visitors. It is like mopping the floor and walking on it at the same time... I hope you get the idea :)

Also, I have had wordpress hacks and infected files that were not detected by Maldet to be malicious, while they were actually the source of the problem.
Tip:
Watch your EXIM log and keep watch on "exim -bpc" to see what is your mail queue count. Usually too many mails in the queue are indicator of compromised sites. You can then check through mail queue which user is originating SPAM and pin down the specific website under him.

[Spheerys]

It is like mopping the floor and walking on it at the same time... I hope you get the idea :)

I understand :D

Watch your EXIM log and keep watch on "exim -bpc" to see what is your mail queue count. Usually too many mails in the queue are indicator of compromised sites. You can then check through mail queue which user is originating SPAM and pin down the specific website under him.

Yes I know this :)

[plutocrat]

As a service to your customers, you might consider writing a script to get wp-cli to check for un-updated plugins and wp installations. It could send out an automated email if it found many updates.

It could even perform the upgrades if you wanted, but that might be a bit intrusive.

http://wp-cli.org/

[Spheerys]

Thanks ! I didn't know wp-cli
I will try it :)