Welcome to Centmin Mod Community
Register Now

Sysadmin Server Security Breach

Discussion in 'System Administration' started by gasak, Jun 13, 2017.

  1. gasak

    gasak New Member

    23
    1
    3
    May 15, 2017
    Ratings:
    +2
    Local Time:
    7:48 PM
    1.13.0
    10.1.23-MariaDB
    Hi @eva2000 & All Fellow Member,

    A few days ago, I got an email from my server provider, SYS, that my server is doing a spam. When I checked on the server that was true. The load average is very high that reached 100 load average. I noticed that there is a security breach to my server that I don't know how which using my server for mass email spamming. Finally, I used ClamAV to scan and remove the malware.

    I don't know if this is a centmin security hole or else, but can somebody please help me for any link of a tutorial step by step to secure my server, so it won't happen anymore. Please advice and really appreciate any help given.

    Thank you.
     
    Last edited: Jun 13, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    28,952
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    10:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    what malware specifically did you pickup and detect ? what web app/scripts installed ? were scripts kept up to date ? which centmin mod version installed ?

    FYI, centmin mod out of the box is secure :)
     
    Last edited: Jun 13, 2017
  3. gasak

    gasak New Member

    23
    1
    3
    May 15, 2017
    Ratings:
    +2
    Local Time:
    7:48 PM
    1.13.0
    10.1.23-MariaDB
    I dont't know what malware is that. It just send spam mass email. When I checked with htop command most of proccess are postfix. I run wordpress sites on the server. Scripts are always updateed and never use any nulled plugins on the wordpress sites. Centmin mod installed are: Centmin Mod Menu 123.09beta01.
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,952
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    10:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    malware scan would of told you what malware it was and probably came in via wordpress then. Did you install wordpress using centmin.sh menu option 22 wordpress installer ? Or manually installed wordpress yourself ?
     
  5. gasak

    gasak New Member

    23
    1
    3
    May 15, 2017
    Ratings:
    +2
    Local Time:
    7:48 PM
    1.13.0
    10.1.23-MariaDB
    No, I'm using manual method installing wordpress.
     
  6. eva2000

    eva2000 Administrator Staff Member

    28,952
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    10:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    centmin.sh menu option 22 wordpress installer is much more secure though ;)

    was it a fresh wordpress install on centminmod server, or did you move the wordpress site from a previous non-centmin mod server ? you could of brought malware from previous non-centmin mod server into the centmin mod server too ?

    probably best to reload centos, reinstall centmin mod and restore from a known clean site/database backup to be 100% sure free of malware
     
  7. gasak

    gasak New Member

    23
    1
    3
    May 15, 2017
    Ratings:
    +2
    Local Time:
    7:48 PM
    1.13.0
    10.1.23-MariaDB
    It was transfer from previous centmin mod server though. While the other server is safe without any malware
     
  8. RB1

    RB1 Active Member

    266
    70
    28
    Nov 11, 2016
    California
    Ratings:
    +117
    Local Time:
    5:48 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Have you installed nulled/pirated Wordpress themes/plugins? :LOL:
     
  9. gasak

    gasak New Member

    23
    1
    3
    May 15, 2017
    Ratings:
    +2
    Local Time:
    7:48 PM
    1.13.0
    10.1.23-MariaDB
    Scroll up. Did mention it.
     
  10. RB1

    RB1 Active Member

    266
    70
    28
    Nov 11, 2016
    California
    Ratings:
    +117
    Local Time:
    5:48 AM
    Nginx 1.13.x
    MariaDB 10.1.x
    Ahh I must have missed that. Just saw the info in your post.
     
  11. eva2000

    eva2000 Administrator Staff Member

    28,952
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    10:48 PM
    Nginx 1.13.x
    MariaDB 5.5
  12. gasak

    gasak New Member

    23
    1
    3
    May 15, 2017
    Ratings:
    +2
    Local Time:
    7:48 PM
    1.13.0
    10.1.23-MariaDB
    Did a scan as screenshot attached. I think I need to reinstall this server. All websites are infected already. Any advice when I reinstall my server and centmin mod regarding server security settings? Thank you.

    Screenshot_14.png
     
  13. eva2000

    eva2000 Administrator Staff Member

    28,952
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    10:48 PM
    Nginx 1.13.x
    MariaDB 5.5
    and the path to malware is a wordpress install directory ???

    if you still have your original backup files from when you moved from one centmin mod server to current infected one, you can also scan that backup set to see if the malware is contained in there too...

    centmin mod is secure out of the box - it's only when you start installing scripts yourself you need to pay attention to that scripts' best security practices etc.

    if you have non-openvz based server, also might want to install tools/auditd.sh
    doesn't prevent malware but if you setup your own custom rules to watch directories etc, you can sort of figure out when the malware gets installed/written
     
  14. gasak

    gasak New Member

    23
    1
    3
    May 15, 2017
    Ratings:
    +2
    Local Time:
    7:48 PM
    1.13.0
    10.1.23-MariaDB
    The path is my public domain directory and yes where wordpress installed. I will try to use the auditd.sh after reinstall the system. Thank you @eva2000
     
  15. elargento

    elargento Member

    284
    16
    18
    Jan 4, 2016
    Ratings:
    +37
    Local Time:
    9:48 AM
    10
    What is different from a default WP installation?
     
  16. eva2000

    eva2000 Administrator Staff Member

    28,952
    6,573
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,755
    Local Time:
    10:48 PM
    Nginx 1.13.x
    MariaDB 5.5

    centmin.sh menu option 22 vs normal wordpress installs


    • Both Centmin Mod stable and latest beta centmin.sh menu option 22, out of box do rate limiting of certain requests to xmlrpc.php and wp-login.php and optional password protection for wp-login.php in 123.09beta01. In 123.08stable password protected wp-login.php is forced
    • centmin.sh menu option 22 wordpress installs have out of box wpsecure include file for further protections along with tools/autoprotect.sh outlined at https://community.centminmod.com/threads/wordpress-403-permission-denied-errors.11215/ which force end user to pay more attention to nginx unsupported .htaccess directories so to require manual whitelisting for.
    • centmin.sh menu option 22 wordpress installs also have auto generated passwords for mysql user, wp admin and wp http authentication that are stronger by default and other best practices for wordpress configuration i.e. not using userid = 1 for admin user etc.