Ubuntu 12.04 LTS LAMP Server is attacking Wordpress sites

I have a small LAMP Stack that hosts about 30 websites. Recently we had a number of sites become compromised with the eval(decode... garbage on large number of files. We cleaned that up and all the sites are working properly. We had a new attack where files were actually uploaded to the Wordpress sites with huge encoded files that contained the x64\x65\x28\x22\x22\x2C\x24\x69\x66\x65\x67\x29\x29\x29\x29\... and those files were accompanied by encrypted files called "ps". I scoured every site individually and cleaned up all the stray files/code (I even replaced some sites) then I used Wordfence to verify every site is clean. Even after all this I can still see outbound traffic in my tcpdumps that make be believe the server is still attacking wp-login.php due to the random URLs I see to those pages.

At this point I'm at a loss as to how to find where this malicious activity is originating on my server. There is no GUI on this machine, anybody have any ideas how I can track down the culprit?
LVL 3
BigDeerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

serialbandCommented:
You might want to see if the rootkit scanner can find it.  http://rootkit.nl/projects/  There's a free version that you can run.
0
BigDeerAuthor Commented:
That one found nothing but I'm giving Maldet a whirl now. Thanks for the tip. I can verify this is definitely something coming from apache.
0
serialbandCommented:
There's also PHP code scanners that you can try out.
http://www.mikestowe.com/2010/10/php-malicious-code-scanner.php

Here's a link to a commercial php scanner.
http://www.acunetix.com/


Here are links to open source scanners to check for vulnerabilities in your php code.
http://sourceforge.net/projects/rips-scanner/
http://sourceforge.net/projects/securityscanner/
http://sourceforge.net/projects/phpsecaudit/
http://sourceforge.net/projects/yasca/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BigDeerAuthor Commented:
Tried all but a couple of these scanners and they found nothing. I ended up going through every file in every folder under 75% of the sites and eventually found some garbage that was pointing to cookies with a weird variable. I was able to use find to find all the files with that reference and remove them. Everything looks completely clean and we've implemented an IPS to prevent it from happening again.

Thanks for all the suggestions
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.