Solved

Ubuntu 12.04 LTS LAMP Server is attacking Wordpress sites

Posted on 2014-07-18
4
395 Views
Last Modified: 2014-07-24
I have a small LAMP Stack that hosts about 30 websites. Recently we had a number of sites become compromised with the eval(decode... garbage on large number of files. We cleaned that up and all the sites are working properly. We had a new attack where files were actually uploaded to the Wordpress sites with huge encoded files that contained the x64\x65\x28\x22\x22\x2C\x24\x69\x66\x65\x67\x29\x29\x29\x29\... and those files were accompanied by encrypted files called "ps". I scoured every site individually and cleaned up all the stray files/code (I even replaced some sites) then I used Wordfence to verify every site is clean. Even after all this I can still see outbound traffic in my tcpdumps that make be believe the server is still attacking wp-login.php due to the random URLs I see to those pages.

At this point I'm at a loss as to how to find where this malicious activity is originating on my server. There is no GUI on this machine, anybody have any ideas how I can track down the culprit?
0
Comment
Question by:BigDeer
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:serialband
ID: 40205625
You might want to see if the rootkit scanner can find it.  http://rootkit.nl/projects/  There's a free version that you can run.
0
 
LVL 3

Author Comment

by:BigDeer
ID: 40205715
That one found nothing but I'm giving Maldet a whirl now. Thanks for the tip. I can verify this is definitely something coming from apache.
0
 
LVL 28

Accepted Solution

by:
serialband earned 500 total points
ID: 40205762
There's also PHP code scanners that you can try out.
http://www.mikestowe.com/2010/10/php-malicious-code-scanner.php

Here's a link to a commercial php scanner.
http://www.acunetix.com/


Here are links to open source scanners to check for vulnerabilities in your php code.
http://sourceforge.net/projects/rips-scanner/
http://sourceforge.net/projects/securityscanner/
http://sourceforge.net/projects/phpsecaudit/
http://sourceforge.net/projects/yasca/
0
 
LVL 3

Author Closing Comment

by:BigDeer
ID: 40217582
Tried all but a couple of these scanners and they found nothing. I ended up going through every file in every folder under 75% of the sites and eventually found some garbage that was pointing to cookies with a weird variable. I was able to use find to find all the files with that reference and remove them. Everything looks completely clean and we've implemented an IPS to prevent it from happening again.

Thanks for all the suggestions
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Domino Website - Redirection 12 52
updating the date data 12 21
is this a cms? 8 35
Print a zero when there are no results in a PHP MySQL COUNT query 15 29
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now