Learn about Centmin Mod LEMP Stack today
Register Now

Security File owner being changed by hacker

Discussion in 'System Administration' started by sds, Aug 11, 2022.

  1. sds

    sds New Member

    10
    0
    1
    Jan 17, 2015
    Ratings:
    +0
    Local Time:
    5:23 PM
    1.6.2
    MariaDB 10
    In my wordpress installation, wp-blog-header.php and index.php are being constantly changed by a hacker. One concerning issue is that both files are root:nginx 0600. However, they are able to change them to nginx:nginx 0777. They can rename directories owned by root, etc...

    What methods can a person use to do this? Does this mean they have root access? My root password was changed and it did nothing. I don't see any fishy log-in attempts using utmpdump.

    I use Wordfence to help clean the files. I have uploaded new ones, etc... I haven't been able to close the backdoor. I'm trying to deduce how they have so much control.


    Any ideas?
     
  2. eva2000

    eva2000 Administrator Staff Member

    49,356
    11,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,593
    Local Time:
    7:23 AM
    Nginx 1.21.x
    MariaDB 10.x
    Replied to your other related thread at https://community.centminmod.com/threads/file-owner-and-web-users-question.23126/#post-94083

    1. Are you able to provide details of the hack and how it came to be?
    2. How was Wordpress installed, and what plugins were used?
    3. Was it on a server you only had access to or did other admins and site owners had access to as well?
    and
    1. Is this a hack on a Centmin Mod powered server? If it was, I can offer to log into your server and take a quick look to see if I can find their entry point for you.
    2. Was the Wordpress site created using Centmin Mod's centmin.sh menu option 22 Wordpress auto installer https://community.centminmod.com/th...l-vs-centmin-sh-menu-option-22-install.15435/ or was it a Wordpress installation migrated from a non-Centmin Mod powered server to Centmin Mod?
    3. If it was Centmin Mod centmin.sh option 22 based, the installer would create a wpinfo.sh script at /usr/local/nginx/conf/wpincludes/ will when run will provide output summary of your Wordpress install, you can see and provide a list of plugins and themes from that output (not the sensitive info don't post that publicly) i.e. for wpce.domain.com created Wordpress site
      Code (Text):
      /usr/local/nginx/conf/wpincludes/wpce.domain.com/wpinfo.sh
      WP-CLI 2.6.0
      WP-Home    http://wpce.domain.com
      WP-SiteURL http://wpce.domain.com
      WordPress  version:   6.0
      Database   revision:  51917
      TinyMCE    version:   4.9110  (49110-20201110)
      Package    language:  en_US
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      | ID     | user_login                         | display_name | user_email                  | user_registered     | roles         |
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      | 173432 | zxiJECpWGdHf0YFeijqCOhIy9Fxtwp4317 | George       | user@domain.com | 2022-06-06 16:33:04 | administrator |
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      +----------------------+------------------------------------------------------------------+----------+
      | name                 | value                                                            | type     |
      +----------------------+------------------------------------------------------------------+----------+
      | table_prefix         | 22188_                                                           | variable |
      | WP_CACHE             | 1                                                                | constant |
      | DB_NAME              | wp2529014860db_9123                                              | constant |
      | DB_USER              | wpdb9123u28826                                                   | constant |
      | DB_PASSWORD          | wpdb6n6RDfPwGd5s5NeurQp8095                                      | constant |
      | DB_HOST              | localhost                                                        | constant |
      | DB_CHARSET           | utf8                                                             | constant |
      | DB_COLLATE           |                                                                  | constant |
      | DISABLE_WP_CRON      |                                                                  | constant |
      | WP_AUTO_UPDATE_CORE  | minor                                                            | constant |
      | WP_POST_REVISIONS    | 10                                                               | constant |
      | EMPTY_TRASH_DAYS     | 10                                                               | constant |
      | WP_CRON_LOCK_TIMEOUT | 60                                                               | constant |
      | CONCATENATE_SCRIPTS  |                                                                  | constant |
      | AUTH_KEY             | z/SE4bDs}_vhtw>N}^ejsNa[H#=K{WiM&S j=+X]^)<y=A<pe[;YRekl(qeD+!P| | constant |
      | SECURE_AUTH_KEY      | VJO3LG+.#/^<`UMFp8cbqobj>rom9NA*]KG-[37Hti[z7ju%JCsW_equ{v*)LvV( | constant |
      | LOGGED_IN_KEY        | HYzWiV1$S9s@W@)p]PLUa.x=z)hOZuEb%OtJ0lplI->r>IZUC>AJ=n6f{) ^c|ef | constant |
      | NONCE_KEY            | 9-.v@5pema/~c2rVJsSpvAN1PT>&zr_xi<r#/KqJ5geTbZbM)#Vu==5=Bz1J}=(/ | constant |
      | AUTH_SALT            | ^@3nJcME0SVv@]*!rxZ+.S&RBu%XTV9lPXXZ@nO>;O]H09@^}im~p$s (-XI*@,0 | constant |
      | SECURE_AUTH_SALT     | xk);Hi2K:H=d}]S/8b|qW.GCz}`UF2($Lc;u_~7W_dovXwCZZ;KvpGm(ZETjUOmr | constant |
      | LOGGED_IN_SALT       | B<#CE6`P|U0jk;UL+7Fa$bJA-T=+nrYA(BTk|9Mc4._Rj#eb;:Kc%(,G_8:GWvO` | constant |
      | NONCE_SALT           | tE&1D8Zo9QB%/Eh`q[ukNUiJ!-XV:/]K6Wbl<q+]ypD%1(]j4TrvxQ0<]6`Mm{[? | constant |
      | WP_CACHE_KEY_SALT    | mq`%/-9^Hcy5TMI3z?zBC/RK^GsP uZpo*qpb~k^Jlp 6TN,iL oq8S<hutIbr1< | constant |
      | WP_DEBUG             |                                                                  | constant |
      +----------------------+------------------------------------------------------------------+----------+
      +-------------------------------+----------+--------+---------+
      | name                          | status   | update | version |
      +-------------------------------+----------+--------+---------+
      | akismet                       | inactive | none   | 4.2.4   |
      | autoptimize                   | active   | none   | 3.0.4   |
      | autoptimize-gzip              | active   | none   | 0.1     |
      | block-specific-plugin-updates | active   | none   | 3.2     |
      | cache-enabler                 | active   | none   | 1.4.9   |
      | cdn-enabler                   | active   | none   | 2.0.5   |
      | classic-editor                | active   | none   | 1.6.2   |
      | disable-xml-rpc               | active   | none   | 1.0.1   |
      | sucuri-scanner                | active   | none   | 1.8.30  |
      | advanced-cache.php            | dropin   | none   |         |
      +-------------------------------+----------+--------+---------+
      +-----------------+----------+--------+---------+
      | name            | status   | update | version |
      +-----------------+----------+--------+---------+
      | twentytwenty    | inactive | none   | 2.0     |
      | twentytwentyone | inactive | none   | 1.6     |
      | twentytwentytwo | active   | none   | 1.2     |
      +-----------------+----------+--------+---------+
      
    4. If it was non-Centmin Mod, was it another LEMP stack control panel or your own LEMP setup?
    Some background details might help too
    1. Which version of Centmin Mod are you using? 123.08stable, 123.09beta01, 124.00stable or 130.00beta01?
    2. For the latter 3 versions, you can run this command and share the output for the versions history listed
      Code (Text):
      cminfo versions
     
  3. eva2000

    eva2000 Administrator Staff Member

    49,356
    11,308
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,593
    Local Time:
    7:23 AM
    Nginx 1.21.x
    MariaDB 10.x
    Also if on Centmin Mod, you can install auditd via tools/auditd.sh script outlined at https://community.centminmod.com/th...td-support-added-in-latest-123-09beta01.9071/

    You can see an example of specifically monitoring a directory for changes so you can audit it later https://community.centminmod.com/th...added-in-latest-123-09beta01.9071/#post-37761. You can only audit new logged entries not past actions done before auditd was setup.

    Also have you created any sudo users yourself? If so how did you create the sudo users? You can use auditd to also track sudo users https://community.centminmod.com/th...sion-thread-for-123-09beta01.9089/#post-52814
     
  4. sds

    sds New Member

    10
    0
    1
    Jan 17, 2015
    Ratings:
    +0
    Local Time:
    5:23 PM
    1.6.2
    MariaDB 10
    Answers are all in the previous thread. Thank you.