Is it possible for Joomla (or Wordpress) to run scripts without cron or visit triggers??
We have this installation that has been using CPU seconds and it's index.php appears in the active processes list of cPanel, but no cron, nor visits are being running. If we rename the index.php file the process disappears, if we resettle it, it re-executes after a few seconds. For some seconds disappears, sometimes appears up to triple WITHOUT having actual visits and no Cron Jobs running.
How is this possible?
We want to know for 2 reasons, security check, and making use of this extra possibility of running scripts if it exists.
I can't speak for WP, but I can't imagine any way of a script executing on it's own. I'd suggest looking at the apache logs and perhaps bump up the logging level to see where/how this might be happening. It sounds to me like your file has been hacked if you CERTAIN that no outside requests are launching it. In my adventures with hackers, the code is often hidden out of sight, so have a look at it with word-wrapping on and see if you can spot anything - it sounds awfully suspicious to me.
To add, your malicious obfuscated code may actually be in your data store, as is often the case with Magento, Drupal, Joomla and WordPress.
TL:DR Don't just inspect your files, but database records that output HTML too.
You should also open your browsers console and take a look at the network tab. Inspect it for suspicious connections.
Related
I'm a bit of an amateur so I'm sure I've missed something.
I'm running Divi on Wordpress. When i go to update a page, I get the "Your updates couldn't be saved" error. My Wordpress site, as well as it's CPanel, also are loading unusually slowly, which I think is related to the issue. After working on this for a bit, both my site and it's CPanel will fail to load, giving me a "can't establish a secure connection to the server" error. The third symptom, which I can't make heads nor tails of, when I click "update" in the page editor, my browser will often (but not always) launch another tab/pop-up either displaying a preview of the edits or the "pages" page on the WP admin side. All of these issues are new (although I've had similar loading speed issues in the past with this site).
Thinking it may be an overload on my server (which happened due to an attack a few months ago), I let it sit for a few days with no luck. Then, thinking it may be a caching issue on my end, I changed my DNS servers, cleared my browser cache, tried private browsing, used my phone, used different wifi and cellular networks. All to no avail. I briefly had slight luck using my phone as a hotspot, but it only temporarily improved the loading speeds.
I also tried disabling plugins. I made sure everything was up to date. No help.
I went into my wp-config.php file and increased the memory limit to 128M and the WP-max memory limit to 256M. This helped briefly–I could update and save one page but when I tried to change the next, I was back to base 1. I've also increased the memory limits in my .htaccess file. I don't have access to my PHP.init file (there are often delays reaching my host so I'm trying to avoid relying on them when possible).
My last guess (which I have yet to implement) is to update my PHP. That said, I'm running 7.3.6 and had no issue updating the site a few days ago so I'm not sure that's the problem, unless divi's newest update has compatibility issues with 7.3 versions of PHP...
Any further ideas would be greatly appreciated! I'm partway through a cosmetic update (which, I know should be done on a staging site but sometimes best practices are best learnt through mistakes like this) so my site looks somewhat half-finished. That is, I'm anxious to be able to edit it again.
Many thanks in advance
Whenever you try to save something, Divi will make a request through admin-ajax.php, it often happens that a security firewall detects that as a threat (which is obviously not), thus giving you the failed save message. Can you ask you host to check the rules that are triggered and whitelist that action? It can also come from plugins like Wordfence, make sure to whitelist it there too.
You can also attach that layout as JSON here, I can test it on my own server and if I can save changes, we should be on the right path.
Not all the time, but sometimes if I visit the site as this http://WEBSITESAMPLE.com/paramA/pathB/, it becomes very slow and nothing loads till a minute or so, but if I add something dummy on the path, it loads immediately, do any of you have an idea why is it?
I am not sure what's going on here because your question lacks a little detail.
But just to make the scenario clear when it comes to Client/ Server side and accessing something on the web with a domain. You have to understand that whatever lags you experience it always points to a certain process that a line of code cannot finish the job in the desired time.
Lags sometimes caused by a script like Javascript(JS) that probably will send request from the server which server can't response in a certain time required by the script.
Also sometimes, browsing to a specified URL without a clear path to a server could cause waiting time.
anyhow, you have to inspect the path you are accessing and the source code and possible process jobs. From there I'm sure you can figure it out.
Otherwise you have to share your setup. Assuming you're the one who setup and build the site.
I have a website (wordpress) published and it works perfectly, but from time to time it gets stuck. You try to enter the page and the server is like blocked, processing, and then for some minutes the website doesn't load.
I even added a cache system and performance optimizations, and the website is much faster now, but that keeps happening, from time to time (several times per day) the web is white, blank, loading for a long time.
I don't know what it is: a plugin? my code? it doesn't happen at a specific moment or action. So I can't identify when or where or why it happens.
So, can I somehow log the php code to know what is being executed at that moment? Where is the code stuck?
BTW, I already disabled the wp-cron. That's not it. And the web is huge so I can't start looking into every file for a loop or something, I need something faster.
I recommend checking on some query monitor which plugins / themes are responsible for the bottleneck. You can use GoDaddy's P3 Profiler plugin, which although it is not having updates, remains one of the best options for profiling a WordPress.
If you use cPanel, check the resource usage and try to identify patterns. For example, is the site slow at a specific time? On specific days of the week?
If you have access to Awstats or similar, you can check if there is any bot that accesses your site at some specific time.
If you treat only the symptom (slowness) you will continue to have the same problem. You need to find the source and then solve it at once.
Also check the access logs for detecting anomalies:
https://www.tecmint.com/find-top-ip-address-accessing-apache-web-server/
Looking on Google, I found some services that I think can help:
https://goupcloud.com [complete optimization and identification of bottlenecks (treatment in the cause and not symptom)]
https://www.wpfaster.org/ [full optimization]
https://www.wpspeedfix.com/ [full optimization]
I've faced a malware for my WordPress website which cause to send spam emails through my host.
After monitoring, I have noticed there are some strange files in my /tmp/ folder like this:
phpfxL6vs_3ckri2mkhyu6dqip6 & phpfxL6vs.c
which the file phpfxL6vs.c contains :
mine = stratum+tcp://xxxxxxxxxxxxxxxxxxxxxxxxxxx:x#xmr.crypto-pool.fr:3333/xmr
these files are created on even days ( like Oct 28, Oct 26, ... )
Up to now I can't find the source cronjob or script which causes this infection
hope someone could help me ....
A quick list which I usually do in these situations:
First: consider your system compromised. All of it. Trust nothing you see. If you don't find anything it doesn't mean it's not there, it might just be hiding.
Look at your access logs very hard. Most infections I've seen come via POST requests, but a GET with query parameters might be responsible as well. Also, since they might've installed a back door, look for any requests that directly call a .php file instead of /category/article-name/. Look for IPs sending unusually many requests, and requesting few/no images/css files.
This might give you an idea about where the breach began, and you can use that as a starting point to investigate further. Look at the file creation / modification times of those programs, and look at the access logs what happened around that time.
Change all passwords, WP user, ssh/sftp/ftp users, mysql etc pp. Look at every computer with ssh/ftp/WordPress admin access, you might be the source.
Update all Plugins, and WP Core if you didn't. And keep up with the updates.
Setup your wp-config.php to log all POST data, so you'll know exactly what is being sent if they use admin-ajax.php for example. That won't be a magic bullet, but it might give you something to start with.
Look at the error log. Intrusion attempts often create warnings or errors.
When you're confident you've found and fixed the issue, re-install your server and either start with a fresh install of WP in which you manually transfer your content, or restore from a backup that you are reasonably sure is clean (before anything happened). You can't really trust your backups at this point because you don't know when the initial infection happened, but it's not a perfect world and you have to get running again.
After fixing the issue and having a fresh and healthy site, don't stop monitoring POST data and suspicious requests in general for at least another month. It's unlikely that you are the specific target of somebody that will hold back a while to give you a sense of security, but you can't rule it out.
Sadly I have run into a very big problem. I noticed that on a website (not mine anyway) there was a file with avery long obfuscated string (over 70.000 chars) with this:
eval(gzuncompress(base64_decode("CODE")));
I wanted to deobfuscate it locally on my PC but finally i decided to use the lazy way using one of the many online deobfuscator tools. As soon as i clicked on "Deobfuscate" i was able to see the output just for a few seconds. From that moment it seems that i can no longer access to pages where online deobfuscators are hosted. For example i can't open this page (Connection Aborted) even if i can properly browse all other pages:
http://www.whitefirdesign.com/tools/deobfuscate-php-hack-code.html
It's like if all these tools get banned from my PC on every browser and user account. Only few of them are still accessible like MobileFish:
http://www.mobilefish.com/services/eval_gzinflate_base64/eval_gzinflate_base64.php
But no one of them is able to process my requests. It's like if this php script is a pure devil. I suppose that my PC has been compromised in some way since i can't open some particular websites even if both MalwareBytes and Avast can't find anything wormy. Any ideas? What this script does?
http://pastebin.com/yf6R1rVK
The code has been put there through some sort of other vulnerability on the site. Here's the deobfuscated PHP, run at your own peril. It looks like some sort of shell which would allow attackers to run certain commands/farm information on the server it's hosted on
https://gist.github.com/jtylr/4fd6240ddcd046e62535
The code has been encoded and compressed, base64_decode() decodes the string, gzuncompress() decompresses it and eval() (see: evil) will then run the string.
I've run into some malicious code before that was injected into some vBulletin forums I was responsible for. Generally this malicious code is executed on the remote machine by being dumped onto the box as a bunch of bites, and then set up to be decoded, decompressed, and evaluated as suggested by that line you have.
It could have done anything.
Perhaps check your machines' host file and see if there are any strange entries that may prevent you from visiting those web pages.
C:\Windows\System32\drivers\etc\hosts
(Assuming you are on Windows. Look for anything suspicious in there and remove it.)
Could also be something in there preventing your anti-virus software from running, or it may be that no actual viral loads were delivered and that you've simply had your host file rewritten.
I doubt you are infected. The code is some kind of shell, that is certainly bad news for the site you found it on, but the simple act of viewing the code string wont effect you.
You can see the deobed code here: http://pastebin.com/QDvnAzZw
What i expect has happened is that your antivirus software scans webpages as you visit them, and recognized the deobed code as malicious, thus cutting the connection to the site.
I imagine the site is then flagged as malicious by your antivirus, thus blocking later attempts to visit it.
If i am correct, you probably wont be able to see the pastebin page linked above.
The solution is specific to your AV program.
here is the decoded malicious code (this link is a tiny paste , don't worry)
First rapid investigation (i didn't decode the python part) seem to try open backdoors in wordpress & joomla admins.