?
Solved

Ubuntu 12.04 LTS LAMP Server is attacking Wordpress sites

Posted on 2014-07-18
4
Medium Priority
?
402 Views
Last Modified: 2014-07-24
I have a small LAMP Stack that hosts about 30 websites. Recently we had a number of sites become compromised with the eval(decode... garbage on large number of files. We cleaned that up and all the sites are working properly. We had a new attack where files were actually uploaded to the Wordpress sites with huge encoded files that contained the x64\x65\x28\x22\x22\x2C\x24\x69\x66\x65\x67\x29\x29\x29\x29\... and those files were accompanied by encrypted files called "ps". I scoured every site individually and cleaned up all the stray files/code (I even replaced some sites) then I used Wordfence to verify every site is clean. Even after all this I can still see outbound traffic in my tcpdumps that make be believe the server is still attacking wp-login.php due to the random URLs I see to those pages.

At this point I'm at a loss as to how to find where this malicious activity is originating on my server. There is no GUI on this machine, anybody have any ideas how I can track down the culprit?
0
Comment
Question by:BigDeer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:serialband
ID: 40205625
You might want to see if the rootkit scanner can find it.  http://rootkit.nl/projects/  There's a free version that you can run.
0
 
LVL 3

Author Comment

by:BigDeer
ID: 40205715
That one found nothing but I'm giving Maldet a whirl now. Thanks for the tip. I can verify this is definitely something coming from apache.
0
 
LVL 30

Accepted Solution

by:
serialband earned 2000 total points
ID: 40205762
There's also PHP code scanners that you can try out.
http://www.mikestowe.com/2010/10/php-malicious-code-scanner.php

Here's a link to a commercial php scanner.
http://www.acunetix.com/


Here are links to open source scanners to check for vulnerabilities in your php code.
http://sourceforge.net/projects/rips-scanner/
http://sourceforge.net/projects/securityscanner/
http://sourceforge.net/projects/phpsecaudit/
http://sourceforge.net/projects/yasca/
0
 
LVL 3

Author Closing Comment

by:BigDeer
ID: 40217582
Tried all but a couple of these scanners and they found nothing. I ended up going through every file in every folder under 75% of the sites and eventually found some garbage that was pointing to cookies with a weird variable. I was able to use find to find all the files with that reference and remove them. Everything looks completely clean and we've implemented an IPS to prevent it from happening again.

Thanks for all the suggestions
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question