Get the most out of your Centmin Mod LEMP stack
Become a Member

Security malware on /home/nginx/domains/*.domain_name

Discussion in 'System Administration' started by TRINH AI QUOC, Mar 13, 2023.

  1. TRINH AI QUOC

    TRINH AI QUOC New Member

    10
    1
    3
    Dec 28, 2020
    Ratings:
    +1
    Local Time:
    7:31 AM
    1.17.3
    10
    hi @eva2000.
    i have problem with this .php in all vhost domains


    deleted it but it reappears.
    Do you have any solution for me.
    Thank you very much
     

    Attached Files:

    • 1.png
      1.png
      File size:
      29.9 KB
      Views:
      0
  2. eva2000

    eva2000 Administrator Staff Member

    50,473
    11,663
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,086
    Local Time:
    10:31 AM
    Nginx 1.25.x
    MariaDB 10.x
    Some background details might help too
    1. Which version of Centmin Mod are you using? 123.08stable, 123.09beta01, 124.00stable or 130.00beta01?
    2. For the latter 3 versions, you can run this command and share the output for the versions history listed
      Code (Text):
      cminfo versions
    3. Is this on Wordpress sites?
    4. Was the Wordpress site created using Centmin Mod's centmin.sh menu option 22 Wordpress auto installer https://community.centminmod.com/th...l-vs-centmin-sh-menu-option-22-install.15435/ or was it a Wordpress installation migrated from a non-Centmin Mod powered server to Centmin Mod?
    5. If it was Centmin Mod centmin.sh option 22 based, the installer would create a wpinfo.sh script at /usr/local/nginx/conf/wpincludes/ will when run will provide output summary of your Wordpress install, you can see and provide a list of plugins and themes from that output (not the sensitive info don't post that publicly) i.e. for wpce.domain.com created Wordpress site
      Code (Text):
      [/LIST]
      /usr/local/nginx/conf/wpincludes/wpce.domain.com/wpinfo.sh
      WP-CLI 2.6.0
      WP-Home    http://wpce.domain.com
      WP-SiteURL http://wpce.domain.com
      WordPress  version:   6.0
      Database   revision:  51917
      TinyMCE    version:   4.9110  (49110-20201110)
      Package    language:  en_US
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      | ID     | user_login                         | display_name | user_email                  | user_registered     | roles         |
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      | 173432 | zxiJECpWGdHf0YFeijqCOhIy9Fxtwp4317 | George       | user@domain.com | 2022-06-06 16:33:04 | administrator |
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      +----------------------+------------------------------------------------------------------+----------+
      | name                 | value                                                            | type     |
      +----------------------+------------------------------------------------------------------+----------+
      | table_prefix         | 22188_                                                           | variable |
      | WP_CACHE             | 1                                                                | constant |
      | DB_NAME              | wp2529014860db_9123                                              | constant |
      | DB_USER              | wpdb9123u28826                                                   | constant |
      | DB_PASSWORD          | wpdb6n6RDfPwGd5s5NeurQp8095                                      | constant |
      | DB_HOST              | localhost                                                        | constant |
      | DB_CHARSET           | utf8                                                             | constant |
      | DB_COLLATE           |                                                                  | constant |
      | DISABLE_WP_CRON      |                                                                  | constant |
      | WP_AUTO_UPDATE_CORE  | minor                                                            | constant |
      | WP_POST_REVISIONS    | 10                                                               | constant |
      | EMPTY_TRASH_DAYS     | 10                                                               | constant |
      | WP_CRON_LOCK_TIMEOUT | 60                                                               | constant |
      | CONCATENATE_SCRIPTS  |                                                                  | constant |
      | AUTH_KEY             | z/SE4bDs}_vhtw>N}^ejsNa[H#=K{WiM&S j=+X]^)<y=A<pe[;YRekl(qeD+!P| | constant |
      | SECURE_AUTH_KEY      | VJO3LG+.#/^<`UMFp8cbqobj>rom9NA*]KG-[37Hti[z7ju%JCsW_equ{v*)LvV( | constant |
      | LOGGED_IN_KEY        | HYzWiV1$S9s@W@)p]PLUa.x=z)hOZuEb%OtJ0lplI->r>IZUC>AJ=n6f{) ^c|ef | constant |
      | NONCE_KEY            | 9-.v@5pema/~c2rVJsSpvAN1PT>&zr_xi<r#/KqJ5geTbZbM)#Vu==5=Bz1J}=(/ | constant |
      | AUTH_SALT            | ^@3nJcME0SVv@]*!rxZ+.S&RBu%XTV9lPXXZ@nO>;O]H09@^}im~p$s (-XI*@,0 | constant |
      | SECURE_AUTH_SALT     | xk);Hi2K:H=d}]S/8b|qW.GCz}`UF2($Lc;u_~7W_dovXwCZZ;KvpGm(ZETjUOmr | constant |
      | LOGGED_IN_SALT       | B<#CE6`P|U0jk;UL+7Fa$bJA-T=+nrYA(BTk|9Mc4._Rj#eb;:Kc%(,G_8:GWvO` | constant |
      | NONCE_SALT           | tE&1D8Zo9QB%/Eh`q[ukNUiJ!-XV:/]K6Wbl<q+]ypD%1(]j4TrvxQ0<]6`Mm{[? | constant |
      | WP_CACHE_KEY_SALT    | mq`%/-9^Hcy5TMI3z?zBC/RK^GsP uZpo*qpb~k^Jlp 6TN,iL oq8S<hutIbr1< | constant |
      | WP_DEBUG             |                                                                  | constant |
      +----------------------+------------------------------------------------------------------+----------+
      +-------------------------------+----------+--------+---------+
      | name                          | status   | update | version |
      +-------------------------------+----------+--------+---------+
      | akismet                       | inactive | none   | 4.2.4   |
      | autoptimize                   | active   | none   | 3.0.4   |
      | autoptimize-gzip              | active   | none   | 0.1     |
      | block-specific-plugin-updates | active   | none   | 3.2     |
      | cache-enabler                 | active   | none   | 1.4.9   |
      | cdn-enabler                   | active   | none   | 2.0.5   |
      | classic-editor                | active   | none   | 1.6.2   |
      | disable-xml-rpc               | active   | none   | 1.0.1   |
      | sucuri-scanner                | active   | none   | 1.8.30  |
      | advanced-cache.php            | dropin   | none   |         |
      +-------------------------------+----------+--------+---------+
      +-----------------+----------+--------+---------+
      | name            | status   | update | version |
      +-----------------+----------+--------+---------+
      | twentytwenty    | inactive | none   | 2.0     |
      | twentytwentyone | inactive | none   | 1.6     |
      | twentytwentytwo | active   | none   | 1.2     |
      +-----------------+----------+--------+---------+
      
    6. It sounds like your site(s) have been hacked. See discussion on learning how to use auditd usage in thread https://community.centminmod.com/threads/file-owner-being-changed-by-hacker.23127/. You can install auditd via tools/auditd.sh script outlined at https://community.centminmod.com/th...td-support-added-in-latest-123-09beta01.9071/. You can see an example of specifically monitoring a directory for changes so you can audit it later https://community.centminmod.com/th...added-in-latest-123-09beta01.9071/#post-37761. You can only audit new logged entries not past actions done before auditd was setup.
    7. If you can't find the hackers infected files yourself, you'd need to hire someone to at least figure out how they hacked you and clean infected files. But best thing to do at end of day is to restore clean uninfected files from a known good backup. But then you also need to have hired someone to figure out they hacked you as well so ensure the restored backups are not infected too.