All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Compromised Wordpress Installation ?
I have a wordpress blog. It's not even a popular blog. It's just some sort of KB for my clients. There is nothing fancy about it.
I got abuse report from my hosting provider. Now, is there a way to find which file is compromised ? because when I skim trough the file manager I don't find any weird files. It's just like I said, it's a simple with simple content. There is no fancy plugin, not even seo plugin.
Also I have few others wordpress installation with no plugin installed and using my custom inhouse theme created from scratch. Yet sometimes there are few strange files popup on file manager, it is encoded, so it definitely a virus or some kind. How does it even get in, in the first place ? In this case, I just delete all files, and git pull from the repository and do it on daily basis using cronjob.
Thanks for any insight
Comments
First try this sitecheck.sucuri.net and then install this plugin wordpress.org/plugins/wordfence/ to scan your all files.
Your provider should be able to provide you with a scan report surely? Most popular solutions like ClamAV and CXS have the facility to do so, that being said third party solutions like Sucuri can also be helpful.
Well when I ask them, they cant provide any insight. They insist, you are on your own. They move my websites folder into a different folder so it won't be publicly available.
download your site and host it locally, then do the things say say above. Then re-upload your WP. I bet the backdoor entry point is from one of the vulnerable plugins.
This works on Debian / Ubuntu.
You'd have to figure out the Centos syntax of it. Probably you'll need to adjust /var/log/ to /var/log/audit.
cat /var/log/auth.log | grep "Accepted password"
This will show you from which IP's a login attempt was succesful and here you'll check if there's an IP that wasn't you, or at a time it wasn't you.
cat /var/log/auth.log | grep "session opened for user root"
This will show you if a user that was logged in has gained root access.
Probably for the best anyway change your passwords.
-edit- I'm assuming here you're running your own WP blog on your own managed VPS or something. Not a managed / hosted WP blog.
Understood it's something you need to fix, but for them to claim there's malware then refuse to back that up with a scan report seems a bit unfair.
I've seen a lot of this going around recently - https://medium.com/@rakshitshah/wordpress-wp-vcd-malware-attack-e7394801895d
Without a scan report it's pretty much a stab in the dark, though!
I am using shared hosting. It's cpanel.
The site talks about wordpress 4.8 and nulled plugin / themes.
I have wordpress 5.X and the theme and plugins are installed from wordpress repository. Also wp-vcd is nowhere to be found. I am going to check with wordpressfence and sucuri.
Thanks anyway.
Ah, sorry it wasn't any help.
Best of luck getting to the bottom of it!
Thanks All for the help. Upon scanning there are 2 problems. It's something called leafmail and one of the plugins is removed from the wordpress repo. So, I deleted those files. Let's hope I don't get into more trouble.
WP itself is secure. It's almost always either (bad or outdated) plugins or (bad or outdated)
themes from what I've seen.
Word fence is the minimum you should use. It can scan for infection and block most injections. I use clean talk with it to filter out more crap.
I called it first didn't I.
Yes, you did. I never expected a plugin got removed from Wordpress Repo. I always assume when something in wp repo got compromised, the developer will update it, and all I need to do is update the plugin.
Is there a way to auto update wordpress, plugins, and themes without me logging into wp-admin ?
Because I have a lot of wordpress installation
Worst idea EVER, would take the load off of you, but then when something goes full on fucktard because you just auto updated you may be screwed. I don't mean just roll back either I mean the couple hours doing updates turns into a couple hours reloading the damned thing and retweaking it.
even worse happened with me my site got hacked and functions.php and header.php malicious codes in it which was making my site redirect to some else site when someone is not logged into WordPress !
so it took time for me to know this issue.
immediately I just backed my sql db and the media files then I removed my theme as header and functions file is theme file and then fresh installed a new theme and the problem was gone !
Set some time apart to check your sites at least once a week, that is the responsible thing to do. An auto-update will probably cause just as many problems for you. Remove old plugins and themes if you're not using them. Maintenance is an important part of having a website.
Yes, if you have command line access you can us the wp-cli command line tool.
https://github.com/wp-cli/wp-cli
https://infinitewp.com/
Hello,
Most of the time hackers use vulnerability within script to further hack and utilize the resources in a false way. I recommend to scan your Wordpress hosting account with this PHP malware script. https://github.com/scr34m/php-malware-scanner
Why not just backup your SQL and do a fresh install instead?
Are you on heavy plugins or themes? Perhaps you are using some nulled/warez stuff where backdoors and ads are all over the place?
My take on this:
Your hosting provider is fucked up. Most probably the hacker has already gained root access so they are trying to mess up with your files (and probably your other neighbors) so some weird stuff appear on your file manager. At this point, there's nothing you can do. Find a new shared hosting offer and migrate... Just make sure it's not 02hosting or hostmyidea...
Your system is compromised. Export the database, while you still can and do a fresh clean install from scratch. Pay attention to security, so this does not happen again.
All my plugin and themes are legit from WordPress repo. I can easily install all over it again. But that doesn't help me learn what I did wrong. Finding a real problem is.
Your commitment in finding the "hole" in your configuration is commendable, but you know only half of the story: if I've understood it correctly this didn't happen on a server (whether virtual or not) administered directly by you. This means
The fact that you've noted that
should ring some bells.
Besides, the fact that a plugin is in the "WP repo" doesn't automatically mean it's sane.
You already noted that
Recently an agency here discovered that some portions of a site they curated ~one year before was misbehaving, also they found their WP credentials deleted.They redeployed it from scratch and discovered that a (purchased) theme (from a legit source and on a well known market) was interacting with a (official) plugin; both these elements "phoned home" to a server in Ukraine, wandering for updates. They discovered this by chance checking connections performed by WP using one of the available plugins for this scope. The Ukraine "update server" randomly redirected the WP install to various payloads. The plugin wasn't set to update automatically, but still. They tried to contact the devs, but they disappeared.
First they blocked the suspicious connections within WP, then they edited the relevant PHP elements to fix this.
WP is like Miley Cyrus, it's all fine and dandy and boom she's on a wreckin ball, snorting ketamine and accepting bitcoins via Tor. You can never be sure
LOL.
I don't think the backdoor or security hole is from your website if I read your story correctly. Since this is a shared hosting, like I said most probably the hacker gained the root access from an exploit through your other neighbors.
Are you on CloudLinux or some jailed environment? If so, there's nothing more to investigate. Just migrate and don't waste your time on this. Use the time to learn something else like scrapping porn videos using Python. That will be even better.
What? There's a shit ton of WordPress 0day attacks all the time. It's taken years to get to this point, making mistakes along the way and getting better over time.