We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Hacked websites and VestaCP
Hacked websites and VestaCP
Hi,
On one server which run VestaCP, I'm hosting several customer's websites.
Since a while, I have found malwares hidden inside php files.
These malwares/scripts are probably sending spam, or whorse, are used to make fishing.
On the apache logs, I have this kind of requests :
As example, inside the happen.php file, there is encrypted code (it's not a trap, it's just a pastebin of the content of the file) : https://pb.spheerys.fr/?b2744134ad3bc1b ... nLOM8r6YM=
The malware can take several form : it can inject encrypted piece of code inside usefull php file, such as wp-config.php (for a Wordpress website).
It can also rename a real index.html file to index.html.bak.bak, AND create a index.php file which run malicious encrypted code AND load my original code from index.html.bak.bak
I don't know if the malware is the same or if there are several ones.
Worse : I have found malicious php files inside public_html directory of another website which only contain html files (flat website) !
At first glance, this kind of "pollution" is closed to a user (but I have to investigate more).
For now, I'm looking for the vector attack, but it's not an easy job (probably from a Wordpress or Joomla website ^^) !
I'm generally cleaning malicious php code when I found it : I have found some caracteristic pattern to find some, but probably not all !
So I have few questions :
- Am I the only one to have this kind of problems ?
- Do you have any idea to find the vector attack ?
- How can I detect efficiently new attacks if possible in realtime ?
- Do you know how to definively protect my server from thoses attacks ?
- Do you think the all server could be compromised, only original hacked website or all websites from a user ?
- With my old panel system (imscp-omega), each website was owned by a unique unix user, so I never get "pollution" and I could easily find the "hacked website". But VestaCP is using differently the Users, which could owned several websites on a same account : is there a way to improve the security and contain more efficiently a CMS security hole ?
Thanks a lot for your help.
On one server which run VestaCP, I'm hosting several customer's websites.
Since a while, I have found malwares hidden inside php files.
These malwares/scripts are probably sending spam, or whorse, are used to make fishing.
On the apache logs, I have this kind of requests :
Code: Select all
45.40.167.2 - - [20/Oct/2017:21:01:07 +0200] "POST /wp-includes/js/thickbox/fvbnbyts.php HTTP/1.0" 404 48933 "http://website.fr/wp-includes/js/thickbox/fvbnbyts.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) 195.231.225.143 - - [20/Oct/2017:21:29:04 +0200] "GET /happen.php?utm_source=opoewi71hlys&utm_medium=rye6e454w7s8&utm_campaign=afra9cds3t1m&utm_term=7nlvpgn927tv&utm_content=42t8l06rpfjnhh HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
195.231.225.143 - - [20/Oct/2017:21:32:26 +0200] "GET /happen.php?utm_source=nlc44iytsyb1&utm_medium=kbenxi0kvvyq&utm_campaign=ieo6sy78kmrm&utm_term=5blw2idxph57&utm_content=q0mdk59b8yjcws HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
195.231.225.143 - - [20/Oct/2017:21:32:27 +0200] "GET /happen.php?utm_source=nlc44iytsyb1&utm_medium=kbenxi0kvvyq&utm_campaign=ieo6sy78kmrm&utm_term=5blw2idxph57&utm_content=q0mdk59b8yjcws HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
The malware can take several form : it can inject encrypted piece of code inside usefull php file, such as wp-config.php (for a Wordpress website).
It can also rename a real index.html file to index.html.bak.bak, AND create a index.php file which run malicious encrypted code AND load my original code from index.html.bak.bak
I don't know if the malware is the same or if there are several ones.
Worse : I have found malicious php files inside public_html directory of another website which only contain html files (flat website) !
At first glance, this kind of "pollution" is closed to a user (but I have to investigate more).
For now, I'm looking for the vector attack, but it's not an easy job (probably from a Wordpress or Joomla website ^^) !
I'm generally cleaning malicious php code when I found it : I have found some caracteristic pattern to find some, but probably not all !
So I have few questions :
- Am I the only one to have this kind of problems ?
- Do you have any idea to find the vector attack ?
- How can I detect efficiently new attacks if possible in realtime ?
- Do you know how to definively protect my server from thoses attacks ?
- Do you think the all server could be compromised, only original hacked website or all websites from a user ?
- With my old panel system (imscp-omega), each website was owned by a unique unix user, so I never get "pollution" and I could easily find the "hacked website". But VestaCP is using differently the Users, which could owned several websites on a same account : is there a way to improve the security and contain more efficiently a CMS security hole ?
Thanks a lot for your help.
Re: Hacked websites and VestaCP
I think you have security issues in your wordpress
/wp-includes/js/thickbox/fvbnbyts.php
This is common files in hacked sites, maybe bugs in plugins or themes
/wp-includes/js/thickbox/fvbnbyts.php
This is common files in hacked sites, maybe bugs in plugins or themes
Re: Hacked websites and VestaCP
Yes of course this file is the visible part of the iceberg.
It's not "my" website (but a customer one) but I can easily delete it.
The point is it will be recreated elsewhere later, with another random name.
And I didn't found the way to found which extension is corrupted...
Not sure at all than in this case the thickbox extension is corrupted...
It's not "my" website (but a customer one) but I can easily delete it.
The point is it will be recreated elsewhere later, with another random name.
And I didn't found the way to found which extension is corrupted...
Not sure at all than in this case the thickbox extension is corrupted...
Re: Hacked websites and VestaCP
Well i moved a few sites from a cpanel server to my vestacp server becaus of malware.
It hasent gotten better by moving to vestacp and also not worse.
what has become easier is remove it. i just run a maldet scan look at report and fix it.
i have come to find that most is becaus of old plugins not updated. remove old plugins and install wordfence and also GOTMLS.
wordfence i use to p rotect and get reports. GOTMLS to remove it if i use wordpress.
But most important thing is update your wordpress and plugins. any plugin that dosent get regular updates u shuld find an alternativ one to use! or code that fungtion yourself.
It hasent gotten better by moving to vestacp and also not worse.
what has become easier is remove it. i just run a maldet scan look at report and fix it.
i have come to find that most is becaus of old plugins not updated. remove old plugins and install wordfence and also GOTMLS.
wordfence i use to p rotect and get reports. GOTMLS to remove it if i use wordpress.
But most important thing is update your wordpress and plugins. any plugin that dosent get regular updates u shuld find an alternativ one to use! or code that fungtion yourself.
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Hacked websites and VestaCP
Sad to hear about your problem, it has happened to all of us many a times. It is important to understand how exactly the malicious code spread across the other sites. One biggest possible reason that has been discussed alot is NOT TO HOST any website (especially WordPress) under VestaCP user Admin, because it has elevated privileges.
Second, rule of thumb, do NOT host more than 2-3 sites inside one Vesta user. I know Vesta now has basedir protection for each website, yet "permissions" on linux system depend on the user. It is better to keep userland different and separate for websites, probably one user - one website approach if your WP sites seem vulnerable.
Secondly, WP sites can have a lot of vulnerabilities as in the installed plugins and themes, more if using nulled pkgs. But still I have seen alot of popular themes on Themeforest having vulnerable content and injectionable JS libraries used that can be used to hack WP sites. Tracing exact source is big work and a process in itself.
Second, rule of thumb, do NOT host more than 2-3 sites inside one Vesta user. I know Vesta now has basedir protection for each website, yet "permissions" on linux system depend on the user. It is better to keep userland different and separate for websites, probably one user - one website approach if your WP sites seem vulnerable.
Secondly, WP sites can have a lot of vulnerabilities as in the installed plugins and themes, more if using nulled pkgs. But still I have seen alot of popular themes on Themeforest having vulnerable content and injectionable JS libraries used that can be used to hack WP sites. Tracing exact source is big work and a process in itself.
Re: Hacked websites and VestaCP
Thanks for advices :)BaDTaG wrote:Well i moved a few sites from a cpanel server to my vestacp server becaus of malware.
It hasent gotten better by moving to vestacp and also not worse.
what has become easier is remove it. i just run a maldet scan look at report and fix it.
i have come to find that most is becaus of old plugins not updated. remove old plugins and install wordfence and also GOTMLS.
wordfence i use to p rotect and get reports. GOTMLS to remove it if i use wordpress.
The point is I'm not the ownBaDTaG wrote: But most important thing is update your wordpress and plugins. any plugin that dosent get regular updates u shuld find an alternativ one to use! or code that fungtion yourself.
er of thoses websites, so I only can suspend them until the owner act correctly...
I don't used admon account to host website :)mehargags wrote:Sad to hear about your problem, it has happened to all of us many a times. It is important to understand how exactly the malicious code spread across the other sites. One biggest possible reason that has been discussed alot is NOT TO HOST any website (especially WordPress) under VestaCP user Admin, because it has elevated privileges.
That was my personnal conclusion, and I'm happy to see than I'm not the only one to had it ^^mehargags wrote:Second, rule of thumb, do NOT host more than 2-3 sites inside one Vesta user. I know Vesta now has basedir protection for each website, yet "permissions" on linux system depend on the user. It is better to keep userland different and separate for websites, probably one user - one website approach if your WP sites seem vulnerable.
Same conclusion...mehargags wrote:Secondly, WP sites can have a lot of vulnerabilities as in the installed plugins and themes, more if using nulled pkgs. But still I have seen alot of popular themes on Themeforest having vulnerable content and injectionable JS libraries used that can be used to hack WP sites. Tracing exact source is big work and a process in itself.
I jsut discovered maldet and make a big cleaning, followed be daily scan.
I hope this will keep clean my server, but I have to continue looking for the real hacked website to "definitly" stop the "pollution".
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Hacked websites and VestaCP
Yes, with Maldet you are cleaning the problems, not the source or cause. If your WP sites continue to be vulnerable, the attacks will keep on increasing, to an extent that your server will go down before you can detect and run maldet and clean them. I hope you also know Maldet puts severe load on your CPU/RAM and can cause problems in peak times when your sites are having simultaneous visitors. It is like mopping the floor and walking on it at the same time... I hope you get the idea :)Spheerys wrote: I jsut discovered maldet and make a big cleaning, followed be daily scan.
I hope this will keep clean my server, but I have to continue looking for the real hacked website to "definitly" stop the "pollution".
Also, I have had wordpress hacks and infected files that were not detected by Maldet to be malicious, while they were actually the source of the problem.
Tip:
Watch your EXIM log and keep watch on "exim -bpc" to see what is your mail queue count. Usually too many mails in the queue are indicator of compromised sites. You can then check through mail queue which user is originating SPAM and pin down the specific website under him.
Re: Hacked websites and VestaCP
I understand :DIt is like mopping the floor and walking on it at the same time... I hope you get the idea :)
Yes I know this :)Watch your EXIM log and keep watch on "exim -bpc" to see what is your mail queue count. Usually too many mails in the queue are indicator of compromised sites. You can then check through mail queue which user is originating SPAM and pin down the specific website under him.
Re: Hacked websites and VestaCP
As a service to your customers, you might consider writing a script to get wp-cli to check for un-updated plugins and wp installations. It could send out an automated email if it found many updates.
It could even perform the upgrades if you wanted, but that might be a bit intrusive.
http://wp-cli.org/
It could even perform the upgrades if you wanted, but that might be a bit intrusive.
http://wp-cli.org/
Re: Hacked websites and VestaCP
Thanks ! I didn't know wp-cli
I will try it :)
I will try it :)