K
K
Kirill Sidorov2013-04-05 10:32:00
Burglary protection
Kirill Sidorov, 2013-04-05 10:32:00

How to deal with hackers on the server?

History: At the request of an SEO specialist, he installed WP on one of the domains and transferred all access to the site to him. They lived for a year without problems, and then noticed that mobile traffic began to merge from the main domain. A cursory look at the files established injections in htaccess and index.php. For a long time I could not understand where they came from, but then, through analysis, I found out that they had penetrated through a hole in WordPress. Found a shell, deleted it. The problem was not solved: just close the injections in index.php, they appear in a day. Then I found a dozen more shells, deleted everything. The situation has not changed. They hired an outsourced sysadmin because I'm not very good at setting up unix-based distributions. For a while, the injections stopped.

After about 3 months, I noticed traffic from search engines for queries like “how to make (male / female genital) at home”, “passage (of a popular game)”, etc. I searched and found the file. Removed. A few hours later he reappeared. Zater. Recovered. Closed access to it in .htaccess. Appeared. Then I put rewrite on this file and after an hour of waiting it changed a little (Latin letters, similar in style to Russian ones, were replaced, respectively, with Russian ones). Then I no longer have any doubt that this is some kind of system - 100% man is operating.

The next step, I began to figure out how to uncover the scoundrel, since the admin could not even provide IP addresses, he says there is nothing in the server logs, it is not clear where to look in the http logs. In general, in some way I got the IP of the villain, and now I don’t know what to do with it. The IP of this server is in the Netherlands, most likely it has a proxy or some kind of backtrack installed there. I didn't find this server in public proxy lists, I think it's my own. And on this I ran into a wall, and now I can not imagine what to do next. Where to apply? To a hosting company? Will they close the server and what evidence is needed for this? Tell me what to do next?

Answer the question

In order to leave comments, you need to log in

11 answer(s)
V
ValdikSS, 2013-04-05
@ValdikSS

in general, some kind of backtrack is installed

back connect?
You should have found the hole first. If you are sure that this is a hole in WordPress, then everything can be seen in the web server logs at a glance. Look for a normal sysadmin.

M
madguru, 2013-04-05
@madguru

Wordpress is quite often hacked, and mostly due to installed add-ons that the user does not update. In December, a vulnerability was found in a popular module (a text editor, I don’t remember exactly which one), through which bots upload shells to servers.
If you really uploaded it through a vulnerability in Wordpress or its add-on, then you can search through files using find, something like this:
find /WWWDIR \( -name "*.php" -o -name "*.html" -o -name "* .htm" \) -exec egrep -Hni 'gzinflate\(base64_decode|eval\(base64_decodeshell_exece|doced_46esab|eval\(' {} \; | cut -c 1-150
WWWDIR — directory where your site is located.
I advise you to check in the Apache settings (if there is no nginx distributing statics in front of it), whether there are files like *.png, *.html, etc. x-httpd-php Aplication Type, and also check in .htaccess via find
find /WWWDIR -name ".htaccess" -exec egrep -iHnr 'application\/x-httpd-php .*(gif|html|jpeg| jpg|doc|txt)' {} \;
You can scan just do all the files.
If you have a lot of sites on your Apache server and they all work as a single user, you need to scan all sites :)
If it was hacked via ssh, it’s harder, in any case, it’s worth checking who was last connected to the server and from where.
Yes, it is desirable to have access to the server via ssh :)

V
Vlad Zhivotnev, 2013-04-05
@inkvizitor68sl

install snoopy, if a live person does ssh with his paws, it will light up.
If via http, carefully read the web server logs.

C
charon, 2013-04-05
@charon

Fighting hackers on the server is easy: set up a firewall, regularly update all software (especially the one that looks outwards), set up an intrusion detection system, read logs, read the security mailings of the software you use. If you do not know how, or there is no way to hire a competent specialist, then give up, you will not succeed. THERE WILL BE NO BALLS! And in a nutshell to describe the solution to your problem here in the comments is unlikely to succeed.

D
demimurych, 2013-04-05
@demimurych

If there was a rootkit on the server, then the author of the topic would not have found anything.
By all external signs, a robot is working that does not have root rights.
The most likely scenario is that an automatic scanner found a leaky wordpress, flooded it, flooded the standard set, like some kind of irc server thread. Launched as the user from which the web server is running.
It is possible that the entry in the crontab is registered from him.
Check all processes started by the user from which you are running the web server. I'm sure you'll find something weird like apache3 or crond.
Such compromises have already passed through me with two dozen.

S
stan_jeremy, 2013-04-05
@stan_jeremy

no one will do anything at your personal request, there would be a chance if you were in the same country, otherwise it’s a dead number, IP in general is most likely a VPN, the Netherlands is a very popular country with tons of double / triple and so on VPN offers. The maximum that they can do after a request from official bodies (which is again almost impossible to achieve) is to close this vpn account for him and make a new one :) hopelessness

D
DwINS, 2013-04-05
@DwINS

If I were you, I would first try to determine how these actions are performed, for this I would enable additional logging, and would look for events in the logs with the time the file was modified. If it's a script, then it would parse its contents. It is difficult to give any recommendations without knowing the exact task, unfortunately.

R
Radriga, 2013-04-05
@Radriga

First of all, update Wordpress and all its modules. Change passwords to the server. Save the logs of the web server, ftp daemon, auth.log (ssh logins)
Second, take a closer look at the web server logs. get the information you need. Namely, attempts to flood the web shell. You can navigate by the time of creation / modification of files in the web shell
. Thirdly, send the “necessary” cutting from the logs as an abuse. Where to send - you will find information in whois'e by ip. Look at technical/abuse contacts.
Fourthly, put the police of the country to which the individual entrepreneur belongs to the copy of the abuza letter. This will speed up the consideration of the abuse
- Then improvise

C
crazyASD, 2013-04-05
@crazyASD

Something seems to me that they break you not through the holes of WordPress, but stupidly through FTP.

E
egorinsk, 2013-04-05
@egorinsk

You may have a rootkit on your server. That is, the attacker has gained full access to the server with administrator rights, and no matter what you do, he can change it at any time. There is only one way to deal with rootkits - ask the host to completely clean the disk and install a new version of the operating system from scratch (after which you will need to install and configure the web server and return all files with code and data to their place). That is, if you have a rootkit, you will have to spend time and money.
If there is no rootkit, then the situation is better. In this case, most likely, you have a backdoor left, but it does not give administrator rights. It is necessary to double-check all files with the code for changes, delete everything suspicious. Recheck all configs for changes. After that, monitor the logs to see through which vulnerability the attacker gets to the server. Logs, of course, not only the web server, but also auth.log, cron logs (since an attacker could leave his script in the crontab). A thorough check, again, will take time and money.
By the way, a backdoor can also be hidden, for example, in a WordPress theme or plugin - there are such cases.
> since the admin could not even provide IP addresses, he says there is nothing in the server logs, it is not clear where to look in the http logs
Most likely, he is simply not qualified for the task.
Also, to combat vulnerabilities in web scripts, you can try to apply various restrictions on the server like safe_mode, disable_functions, but these are all crutches, in a good way, you should not install dubious open source scripts in an openly accessible folder.
>. The IP of this server is in the Netherlands, most likely it has a proxy or some kind of backtrack installed there. I didn't find this server in public proxy lists, I think it's my own. And on this I ran into a wall, and now I can not imagine what to do next.
Of course, you can write a complaint to that hoster in the Netherlands (by attaching logs where you can see when they visited yours from this server), but this may turn out to be a bulletproof (that is, created by criminals) hosting that will not give out its own. In this case, only law enforcement agencies can help you. but would they want to do it? Unlikely.

A
Alexander Borisovich, 2013-04-05
@Alexufo

Install wordfence. It checks the hashes of the files against the repository to get rid of the problem of system files being modified by the wicked.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question