Hacked websites and VestaCP
Posted: Fri Oct 20, 2017 9:01 pm
Hi,
On one server which run VestaCP, I'm hosting several customer's websites.
Since a while, I have found malwares hidden inside php files.
These malwares/scripts are probably sending spam, or whorse, are used to make fishing.
On the apache logs, I have this kind of requests :
As example, inside the happen.php file, there is encrypted code (it's not a trap, it's just a pastebin of the content of the file) : https://pb.spheerys.fr/?b2744134ad3bc1b ... nLOM8r6YM=
The malware can take several form : it can inject encrypted piece of code inside usefull php file, such as wp-config.php (for a Wordpress website).
It can also rename a real index.html file to index.html.bak.bak, AND create a index.php file which run malicious encrypted code AND load my original code from index.html.bak.bak
I don't know if the malware is the same or if there are several ones.
Worse : I have found malicious php files inside public_html directory of another website which only contain html files (flat website) !
At first glance, this kind of "pollution" is closed to a user (but I have to investigate more).
For now, I'm looking for the vector attack, but it's not an easy job (probably from a Wordpress or Joomla website ^^) !
I'm generally cleaning malicious php code when I found it : I have found some caracteristic pattern to find some, but probably not all !
So I have few questions :
- Am I the only one to have this kind of problems ?
- Do you have any idea to find the vector attack ?
- How can I detect efficiently new attacks if possible in realtime ?
- Do you know how to definively protect my server from thoses attacks ?
- Do you think the all server could be compromised, only original hacked website or all websites from a user ?
- With my old panel system (imscp-omega), each website was owned by a unique unix user, so I never get "pollution" and I could easily find the "hacked website". But VestaCP is using differently the Users, which could owned several websites on a same account : is there a way to improve the security and contain more efficiently a CMS security hole ?
Thanks a lot for your help.
On one server which run VestaCP, I'm hosting several customer's websites.
Since a while, I have found malwares hidden inside php files.
These malwares/scripts are probably sending spam, or whorse, are used to make fishing.
On the apache logs, I have this kind of requests :
Code: Select all
45.40.167.2 - - [20/Oct/2017:21:01:07 +0200] "POST /wp-includes/js/thickbox/fvbnbyts.php HTTP/1.0" 404 48933 "http://website.fr/wp-includes/js/thickbox/fvbnbyts.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) 195.231.225.143 - - [20/Oct/2017:21:29:04 +0200] "GET /happen.php?utm_source=opoewi71hlys&utm_medium=rye6e454w7s8&utm_campaign=afra9cds3t1m&utm_term=7nlvpgn927tv&utm_content=42t8l06rpfjnhh HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
195.231.225.143 - - [20/Oct/2017:21:32:26 +0200] "GET /happen.php?utm_source=nlc44iytsyb1&utm_medium=kbenxi0kvvyq&utm_campaign=ieo6sy78kmrm&utm_term=5blw2idxph57&utm_content=q0mdk59b8yjcws HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
195.231.225.143 - - [20/Oct/2017:21:32:27 +0200] "GET /happen.php?utm_source=nlc44iytsyb1&utm_medium=kbenxi0kvvyq&utm_campaign=ieo6sy78kmrm&utm_term=5blw2idxph57&utm_content=q0mdk59b8yjcws HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
The malware can take several form : it can inject encrypted piece of code inside usefull php file, such as wp-config.php (for a Wordpress website).
It can also rename a real index.html file to index.html.bak.bak, AND create a index.php file which run malicious encrypted code AND load my original code from index.html.bak.bak
I don't know if the malware is the same or if there are several ones.
Worse : I have found malicious php files inside public_html directory of another website which only contain html files (flat website) !
At first glance, this kind of "pollution" is closed to a user (but I have to investigate more).
For now, I'm looking for the vector attack, but it's not an easy job (probably from a Wordpress or Joomla website ^^) !
I'm generally cleaning malicious php code when I found it : I have found some caracteristic pattern to find some, but probably not all !
So I have few questions :
- Am I the only one to have this kind of problems ?
- Do you have any idea to find the vector attack ?
- How can I detect efficiently new attacks if possible in realtime ?
- Do you know how to definively protect my server from thoses attacks ?
- Do you think the all server could be compromised, only original hacked website or all websites from a user ?
- With my old panel system (imscp-omega), each website was owned by a unique unix user, so I never get "pollution" and I could easily find the "hacked website". But VestaCP is using differently the Users, which could owned several websites on a same account : is there a way to improve the security and contain more efficiently a CMS security hole ?
Thanks a lot for your help.