Solved

Ubuntu 12.04 LTS LAMP Server is attacking Wordpress sites

Posted on 2014-07-18
4
401 Views
Last Modified: 2014-07-24
I have a small LAMP Stack that hosts about 30 websites. Recently we had a number of sites become compromised with the eval(decode... garbage on large number of files. We cleaned that up and all the sites are working properly. We had a new attack where files were actually uploaded to the Wordpress sites with huge encoded files that contained the x64\x65\x28\x22\x22\x2C\x24\x69\x66\x65\x67\x29\x29\x29\x29\... and those files were accompanied by encrypted files called "ps". I scoured every site individually and cleaned up all the stray files/code (I even replaced some sites) then I used Wordfence to verify every site is clean. Even after all this I can still see outbound traffic in my tcpdumps that make be believe the server is still attacking wp-login.php due to the random URLs I see to those pages.

At this point I'm at a loss as to how to find where this malicious activity is originating on my server. There is no GUI on this machine, anybody have any ideas how I can track down the culprit?
0
Comment
Question by:BigDeer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:serialband
ID: 40205625
You might want to see if the rootkit scanner can find it.  http://rootkit.nl/projects/  There's a free version that you can run.
0
 
LVL 3

Author Comment

by:BigDeer
ID: 40205715
That one found nothing but I'm giving Maldet a whirl now. Thanks for the tip. I can verify this is definitely something coming from apache.
0
 
LVL 29

Accepted Solution

by:
serialband earned 500 total points
ID: 40205762
There's also PHP code scanners that you can try out.
http://www.mikestowe.com/2010/10/php-malicious-code-scanner.php

Here's a link to a commercial php scanner.
http://www.acunetix.com/


Here are links to open source scanners to check for vulnerabilities in your php code.
http://sourceforge.net/projects/rips-scanner/
http://sourceforge.net/projects/securityscanner/
http://sourceforge.net/projects/phpsecaudit/
http://sourceforge.net/projects/yasca/
0
 
LVL 3

Author Closing Comment

by:BigDeer
ID: 40217582
Tried all but a couple of these scanners and they found nothing. I ended up going through every file in every folder under 75% of the sites and eventually found some garbage that was pointing to cookies with a weird variable. I was able to use find to find all the files with that reference and remove them. Everything looks completely clean and we've implemented an IPS to prevent it from happening again.

Thanks for all the suggestions
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to count occurrences of each item in an array.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question