Want more timely Centmin Mod News Updates?
Become a Member

Security Wordpress Website is Hacked

Discussion in 'System Administration' started by abakisensoy, Nov 1, 2018.

  1. abakisensoy

    abakisensoy Member

    40
    2
    8
    Dec 2, 2016
    Ratings:
    +2
    Local Time:
    10:53 PM
    latest
    5.5
    Hi;

    I have been using centminmod for my Wordpress website. I switched from plesk and I was very happy to do that.

    Recently, I got an email from Google Search Console about mobile website issue. I checked error and couldn't see any abnormalities. A couple of days later, one of my clients told me that our website is redirecting to a spam webpage. It was redirecting to a page only once on a mobile phone, not desktop. We upgrade our WordPress etc and it stopped.

    Today, Another client told me he was seeing another page, spam page when he visits our website on a desktop. Really frustrating.

    What should ı do fix this?

    Any advice is welcome.
     
  2. abakisensoy

    abakisensoy Member

    40
    2
    8
    Dec 2, 2016
    Ratings:
    +2
    Local Time:
    10:53 PM
    latest
    5.5
    Installing maldet.sh but it requires :

    add to persistent config file created at
    /etc/centminmod/custom_config.inc and set an
    email address for variable:

    ALERTEMAIL='[email protected]'

    Then re-run the script ./maldet.sh

    there is no "custom_config.inc" file so i created with ALERTEMAIL line.
     
  3. bassie

    bassie Well-Known Member

    1,017
    243
    63
    Apr 29, 2016
    Ratings:
    +722
    Local Time:
    1:53 PM
    You need find out where the problem lies.
    Wordpress updates only usually won't fix it and is more often, simple not enough.

    Assuming that your host + Centmin is up-to-date.
    If not patch your system.

    Step one.
    Often you see that Wordpress is not the problem but the 3th party addons/plugins/themes.

    Have you analyzed these and found that they are not exploited or vulnerable?
    Make sure there isn't any cracked code (left), otherwise, the same crack bot will crack your code again, or re-download spammy software after a few days.

    P.s. exploited code with updates applied afterwards could still be vulnerable.
     
    Last edited: Nov 1, 2018
  4. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Some steps discussed in this thread you might want to read up on too Sysadmin - Mystery files in web root

    It is also possible that your Wordpress instance was compromised while on Plesk and you brought over the infection to Centmin Mod when you transferred data. It isn't uncommon for hackers to lay dormant on compromised systems for a while before actively doing bad things. Though can't rule out it being while on Centmin Mod due to infected or insecure Wordpress plugin itself.

    However it's also possible folks mobile devices have been infected with malware too due to apps they have installed. Especially on Android as manufacturers have a fragmented ecosystem where not all Android phone manufacturers have up to date releases with latest Android security patches. My Samsung S7 is only on September 2018 security patch while some folks are even further behind by months. What were those visitors reporting the redirects using for their mobile phone brand, model, browser and browser version and if Android what version of Android and security update patch date ?

    For maldet read Maldet - Linux Malware Detect Addon (discussion) and more update to date example at Security - Extending Maldet Malware Detect Linux & ClamAV Signatures

    While Centmin Mod is provided as is so hacking cleanup/diagnostic is let to you to deal with, other members here can help and to do so would need more details and info

    Please fill in any relevant information that applies to you:
    • CentOS Version: i.e. CentOS 6 32bit or 64bit / CentOS 7 64bit ?
    • Centmin Mod Version Installed: i.e. 123.08stable or 123.09beta01
    • How as Wordpress installed via centmin.sh menu option 22 or done manually yourself ?
    • Nginx Version Installed: i.e. 1.15.3
    • PHP Version Installed: i.e. 5.6.37, 7.0.31, 7.1.21, 7.2.9
    • MariaDB MySQL Version Installed: i.e. 10.0.x or 10.1.xx or 10.2.xx
    • When was last time updated Centmin Mod code base ? : i.e. run centmin.sh menu option 23 submenu option 2 or cmupdate command
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      cat /etc/centminmod/custom_config.inc
      

      Post output in CODE tags.
    If Wordpress was installed via centmin.sh menu option 22, what is output for these commands where domain.com is your domain name
    Code (Text):
    domain=domain.com
    cd /home/nginx/domains/$domain/public
    wp plugin status --allow-root
    

    Code (Text):
    domain=domain.com
    cd /home/nginx/domains/$domain/public
    wp --info --allow-root | sed -e "s|$domain|domain.com|g"
    

    Code (Text):
    domain=domain.com
    cd /home/nginx/domains/$domain/public
    wp core check-update --allow-root
    

    Code (Text):
    cminfo versions
    

    Code (Text):
    cd /usr/local/src/centminmod
    git log --numstat --pretty="%n%h %an %aD %n%s" --shortstat -1
    

    Code (Text):
    nginx -V
    

    Code (Text):
    php -v
    

    Code (Text):
    mysqladmin ver
    

    For posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
    • If you don't have the skills to dig deeper, maybe hire Sucuri folks for malware/infection removal and analysis Website Malware Removal - We Fix Hacked Websites | Sucuri if you use any of their listed CMS, wordpress, joomla, drupal, magento, phpbb and vbulletin and ask them if your web app/script isn't listed. If they're unfamiliar with Centmin Mod structure point them to Centmin Mod Configuration Files - CentminMod.com LEMP Nginx web stack for CentOS and this very post itself too.
    • ultimately, it's highly recommended you restore from last known clean backup after a OS (centos) reinstall and start fresh. Usually I recommend to take a full backup of your hacked site/file state/server logs etc including file permissions and such so tar backup with preserved file/user permissions. So you can do further analysis later on to find out how you were infected etc
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod 123.09beta01 Wordpress installs via centmin.sh menu option 22 also install and activate Sucuri Wordpress Plugin which has a file integrity checker to report if Wordpress files have been modified. You can consult that in Wordpress Admin > Sucuri Security area for Dashboard as well as look at Wordpress login and failed login history.

    Example here reports file modified in the way of 9 additional files which are Centmin Mod default installed files when creating a new Nginx vhost site, so I would mark as fixed and these 9 files as I know they are safe. If they are files reported which you are not familiar with, inspect them to see if there's any malware/malicious code.

    [​IMG]

    After marking those known 9 Centmin Mod files, Sucuri Wordpress plugin's integrity monitor would list all correct status

    [​IMG]
     
  6. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    10:53 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..