Solved

Ubuntu 12.04 LTS LAMP Server is attacking Wordpress sites

Posted on 2014-07-18
4
400 Views
Last Modified: 2014-07-24
I have a small LAMP Stack that hosts about 30 websites. Recently we had a number of sites become compromised with the eval(decode... garbage on large number of files. We cleaned that up and all the sites are working properly. We had a new attack where files were actually uploaded to the Wordpress sites with huge encoded files that contained the x64\x65\x28\x22\x22\x2C\x24\x69\x66\x65\x67\x29\x29\x29\x29\... and those files were accompanied by encrypted files called "ps". I scoured every site individually and cleaned up all the stray files/code (I even replaced some sites) then I used Wordfence to verify every site is clean. Even after all this I can still see outbound traffic in my tcpdumps that make be believe the server is still attacking wp-login.php due to the random URLs I see to those pages.

At this point I'm at a loss as to how to find where this malicious activity is originating on my server. There is no GUI on this machine, anybody have any ideas how I can track down the culprit?
0
Comment
Question by:BigDeer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:serialband
ID: 40205625
You might want to see if the rootkit scanner can find it.  http://rootkit.nl/projects/  There's a free version that you can run.
0
 
LVL 3

Author Comment

by:BigDeer
ID: 40205715
That one found nothing but I'm giving Maldet a whirl now. Thanks for the tip. I can verify this is definitely something coming from apache.
0
 
LVL 29

Accepted Solution

by:
serialband earned 500 total points
ID: 40205762
There's also PHP code scanners that you can try out.
http://www.mikestowe.com/2010/10/php-malicious-code-scanner.php

Here's a link to a commercial php scanner.
http://www.acunetix.com/


Here are links to open source scanners to check for vulnerabilities in your php code.
http://sourceforge.net/projects/rips-scanner/
http://sourceforge.net/projects/securityscanner/
http://sourceforge.net/projects/phpsecaudit/
http://sourceforge.net/projects/yasca/
0
 
LVL 3

Author Closing Comment

by:BigDeer
ID: 40217582
Tried all but a couple of these scanners and they found nothing. I ended up going through every file in every folder under 75% of the sites and eventually found some garbage that was pointing to cookies with a weird variable. I was able to use find to find all the files with that reference and remove them. Everything looks completely clean and we've implemented an IPS to prevent it from happening again.

Thanks for all the suggestions
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

These days socially coordinated efforts have turned into a critical requirement for enterprises.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question