Want more timely Centmin Mod News Updates?
Become a Member

Wordpress Site hacked, need urgent help to recover

Discussion in 'Blogs & CMS usage' started by poly1, Feb 23, 2015.

  1. poly1

    poly1 New Member

    5
    1
    3
    Nov 20, 2014
    Ratings:
    +1
    Local Time:
    5:07 PM
    1.7.7
    5.5.41
    Our VPS running CentOS 6.6 with centmin .07 appears to have been hacked. We're running the latest versions of Xenforo and Wordpress, each installed in its own directory under webroot. The hacker redirected our homepage to a different URL, a defaced page, and posted a dump of our forum database on another site. We found a number of downloaded gzip files pertaining to the phpjackal shell script in our webroot. According to the documentation for phpjackal, it includes a mysql dump function.

    We've never experienced anything quite like this before, and aren't sure where to proceed from here. We've done the obvious things: changed all our passwords and tried to limit access to the server based on IP, but are unsure of whether we've shut out the hacker, or how to find/verify that anything he was able to install has been removed.

    Any/all help or suggestions would be appreciated. :(
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,160
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    Sorry to hear that you were hacked. Unfortunately, Centmin Mod is provided as is, so I can't provide any help for free. You might want to check out Sucuri for such Wordpress hacks/clean ups. Obviously, you need to know how they got in via Wordpress plugin or Xenforo addon vulnerabilities (most likely case as core code for Wordpress and Xenforo should be secure and solid usually) or via weak passwords/brute forced etc.

    Where was the server hosted ? VPS ? OpenVZ, KVM, Xen or dedicated server ?.

    Obviously, maldet/clamav scan of your entire server would be a start too Maldet - Linux Malware Detect Addon (discussion) | Centmin Mod Community
     
  3. poly1

    poly1 New Member

    5
    1
    3
    Nov 20, 2014
    Ratings:
    +1
    Local Time:
    5:07 PM
    1.7.7
    5.5.41
    It's a Xen-based VPS. I did follow your guide regarding wordpress, and did have sucuri installed and properly configured. Thanks for the suggestions about maldet/clam, I will give that a go.
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,160
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Feb 23, 2015
  5. Mask

    Mask Active Member

    104
    29
    28
    Nov 10, 2014
    Ratings:
    +35
    Local Time:
    12:07 PM
    Nginx 1.9.1
    MariaDB 10.0.19
    @poly1

    If they hacker was able to do this much damage, the first thing I will recommend you is to setup a new server and move everything there after a tight checkup. (Better download new php files for WP and Forum from source and ditch all the old ones).
    With such hack, you never know which other file may have a backdoor on your serve now.

    Also as George suggested, you may want to add few functions in the "disable" list.
    This is what I have
    Code:
    disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open
     
  6. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    12:07 AM
    @eva2000 Curious why these aren't disabled by default? I'm guessing most off-the-shelf PHP apps don't use these functions because too much risk they'll be installed on a locked-down system and be barraged by support requests from less-tech-savvy customers. So seems like the safer default might be to turn these off and then a user can open them back up if he/she really needs?
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,160
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod did have these enabled by default on older versions, but broke too much stuff for folks and their web apps. So yes these restrictions got disable again on latest builds of Centmin Mod.

    Also only a small portion of Centmin Mod users even frequent the forums here, so if a new user has issues using Centmin Mod and their web apps, it's more likely they'll just dump Centmin Mod and move on to another script or just chalk it up to Centmin Mod being buggy (perception not reality). The delicate nature of catering to the masses :)

    Some of the functions are used by apps I commonly use Wordpress, Vbulletin and Xenforo and their relative addon/plugin ecosystem if you do a search in the PHP code.

    mentioned in guides like Nginx Rewrites for Xenforo Friendly Urls

    edit: I might renable this one though as I am been using it on Wordpress and Xenforo without issue

    Code:
    php_admin_value[disable_functions] = shell_exec
     
    Last edited: Feb 26, 2015
  8. eva2000

    eva2000 Administrator Staff Member

    30,160
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
  9. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    12:07 AM
    That makes sense.

    I'd vote to keep the more open version as default, and just add a note to the PHP guide at the bottom about "If you want to increase security, try adding this.... warning, may break some app, for example for Xenforo friendly rewrites, see this guide [nginx]"

    It's great that it's listed on the Nginx guide, but the guide I would have expected this to be listed on was the PHP guide: PHP PHP-FPM - Centmin Mod - Menu based Nginx installer for CentOS servers

    And yeah, the people who are likely to care about this in the first place are the folks who read the guides/forums in depth. Otherwise folks just want it to work and worry about hardening stuff later when they get hacked :)
     
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    30,160
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,135
    Local Time:
    5:07 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  11. trxerz

    trxerz Member

    66
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    8:07 AM
  12. Mask

    Mask Active Member

    104
    29
    28
    Nov 10, 2014
    Ratings:
    +35
    Local Time:
    12:07 PM
    Nginx 1.9.1
    MariaDB 10.0.19
    Go with the one I listed above. I am am running WP only servers and have not seen any issue.
     
    • Like Like x 1
  13. trxerz

    trxerz Member

    66
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    8:07 AM
    What about this list Mask, got it from managed hosting company:
    Code:
    pcntl_alarm
    pcntl_fork
    pcntl_waitpid
    pcntl_wait
    pcntl_wifexited
    pcntl_wifstopped
    pcntl_wifsignaled
    pcntl_wexitstatus
    pcntl_wtermsig
    pcntl_wstopsig
    pcntl_signal
    pcntl_signal_dispatch
    pcntl_get_last_error
    pcntl_strerror
    pcntl_sigprocmask
    pcntl_sigwaitinfo
    pcntl_sigtimedwait
    pcntl_exec
    pcntl_getpriority
    pcntl_setpriority
    php_uname
    getmyuid getmypid
    passthru
    leak
    listen
    diskfreespace
    link
    ignore_user_abord
    shell_exec
    dl
    exec
    system
    highlight_file
    source
    show_source
    fpaththru
    virtual
    posix_ctermid
    posix_getcwd
    posix_getegid
    posix_geteuid
    posix_getgid
    posix_getgrgid posix_getgrnam
    posix_getgroups
    posix_getlogin
    posix_getpgid
    posix_getpgrp
    posix_getpid
    posix
    _getppid
    posix_getpwnam
    posix_getpwuid
    posix_getrlimit
    posix_getsid
    posix_getuid
    posix_isatty
    posix_kill
    posix_mkfifo
    posix_setegid
    posix_seteuid posix_setgid
    posix_setpgid
    posix_setsid
    posix_setuid
    posix_times
    posix_ttyname
    posix_uname
    proc_open
    proc_close
    proc_get_status
    proc_nice
    proc_terminate
    phpinfo
    
     
  14. Mask

    Mask Active Member

    104
    29
    28
    Nov 10, 2014
    Ratings:
    +35
    Local Time:
    12:07 PM
    Nginx 1.9.1
    MariaDB 10.0.19
    trxerz
    My version was "minimal recommended", you can add as many as you want to. The one you posted above seems to be too strict and some plugins might end up giving issues.
    For a lot more tight security that the minimal list, I would go with
    Code:
    disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, pcntl_exec
    Anything more is a bit too much. But you can add as many as you want to.
     
    • Like Like x 2
    • Informative Informative x 2