New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Well, it's difficult to explain.
I get an email every 24h, then I see modified files, yeah. But if server is mail injected I never see that email coz it's in a full queue of thousants of emails and won't be delivered
Just an example. If xyz.php file modified/hacked, then copy from original file and then run 'chattr +i xyz.php'.
With 'chattr +i', no users (including root) can change this file. Reverse operation is 'chattr -i'.
Interesting. At this point, what they usually do is create new files, never overwrited any of the already existing ones.
Thanks for your help !
If they create new files in their special directory, run 'chattr +i /path/of/their/directory'.
Making files immutable is not the answer. The answer is to find the source of the breach and patch it.
That's the immutable flag. @KeyJey, you'd have to do this to pretty much your whole site if your choose this
solutionpatch. And undo it before you upgrade - also automatic upgrade won't work if you do this to WP core files.Totaqlly understand. As I could see there were two recent security patches related to this thread, so with the updates, plus the security suggestions plus the instant push alerts I added to the exim queue I'll relax a little bit, keeping an eye to the logs.
Thanks for the tips guys.
Chattr just temporary solution.
In my Kloxo-MR, for this problem, just 'ban' this website to no permit to sendmail. Again, it's also temporary solution.
@mustafaramadhan don't worry, it's cool to get this kind of suggestions and learn, thanks again for the tips !
@KeyJey I use mod_sec with VestaCP which has nginx front end. I will send you my nginx rules too.
okay, thanks !
Is the site in question using any nulled scripts like nulled gravityforms?
If all the scripts are genuine, redownload all the plugins manually by hand and then delete the plugins folder and reupload.
I'd then also check every other uploads folder
@hdpixel,
Is mod_sec possible to prevent sendmail?.
Not really, but sendmail/php mail() only accounts for maybe a little more than half of what these common exploits do. They also do a lot of outgoing brute force and some will straight up dump your application database and zip it up for download, mod_sec is incredible at preventing the exploit before it happens if you know the common patterns. Somewhere in my notes I have a set of rules I made for Joomla 1.5 that completely fix it's vulnerabilities, that I made from a couple years of watching instances get exploited.
https://wordpress.org/news/2015/04/wordpress-4-2-1/
This???
Think simple. This issue is spam from website and then disable/prevent sendmail is simple solution.
Another trick is disable_functions for mail in php.ini.
It's probable that this is not all that it's doing, but it takes abuse reports for most people to notice the outgoing brute force that is common with these type of attacks. Thinking simple is good, but don't think so simple that you miss the problem and only focus on what is immediately apparent to you at first glance. This is what leads people to say "I resolved the problem" when they did not, in fact, resolve the problem. The attackers typically upload scripts that are capable of multiple functions, spam only being one of them, and the one that makes people first take notice of the problem. Take C99 shell for instance, which is one of the most commonly used to this day.
I'm not trying to be "that guy" I just like to share my knowledge about the few things I actually know :P
Use mod_sec, disable mail() or sendmail ban are the same. No real solution. The real solution is clean wordpress code and or remove plugins which make spams.
Use mod_sec not still no solution for spam but disable mail() or sendmail ban. So, why I said 'think simple' (focus to 'main issue').
https://github.com/neohapsis/neopi ?
Thanks for the link. Really interesting.
Maybe I missed it, but I don't see where KeyJay answered the question as to whether he had any nulled plugins or themes. I do know that when I wanted to learn about what made WP websites successful I bought several. Every security problem I've ever had was from these purchases, and was due to the seller using nulled themes or plugins. It didn't take me long to figure out this was just stupid. The hackers that create these nulled products always build in back doors. People who use nulled anything are just asking for problems.
Helo @MTUser, yes I already said that there's no nulled script. There's one purchased theme and some plugins, all free.
If you make a search on this thread with "I would never use a patched or nulled theme" you will find it.
Unless my designer used it on any of the plugins, I don't think there's any nulled plugin.
Now that you comment it, I'll ask him specifically about it.
Thanks.
@mustafaramadhan it could by simply blocking sendmail exec. However, there are other ways of doing this. I use csf firewall to alert me when mail queue size is larger than a specific size, and set it to require SMTP authentication.
KeyJey, Sorry I missed that. If your developer says he or she purchased the items, as you have had such a problem, it might be worth asking him or her for proof of the purchased theme. At this point I think it is worth checking everything.
How?. What's the rule for blocking sendmail?
This thread seems to trigger an alert from avast, "PHP:BackDoor-FO [Trj]" I'm guessing it's being silly over some of the example code posted earlier in the thread.
Make sure your wordpress sites and plugins are upto date.
From memory and the logs gravity forms had some pretty big vuln's recently.
Hey guys, at the moment, no more injections appeared .... thanks
What was the exact problem?