Attack and changing index.php files of websites

D

Duckname

New member
Joined
Oct 30, 2023
Messages
7
Hello,
I have server with few websites (9) and from two days something happed and my index.php files are getting changed to chines websites. Uploading screenshots of what my pages are looking and what is the code i see on index.php.
The code is pasted right above my code and when i delete i site is working normally.
My csf is enabled, but never changed anything in. If someone can tell me what to do to protect it from those "attacks".

Admin and Root password are changed.

Thank you for help.
Regards
 

Attachments

  • Screenshot 2023-10-30 140407.png
    Screenshot 2023-10-30 140407.png
    530.6 KB · Views: 10
  • Screenshot 2023-10-30 140444.png
    Screenshot 2023-10-30 140444.png
    344.5 KB · Views: 9
Check logs for POST requests.
Tune: Modsecurity, disable_functions.
Check file permissions.
Update CMS/Plugins/PHP version maybe replace bad plugins with more protected.
 
This is what i see for POST requests:

78.90.65.121 - - [29/Jul/2023:19:01:15 +0300] "POST /wp-admin/admin-ajax.php?action=async_litespeed&nonce=ccc996cc93&litespeed_type=imgoptm HTTP/1.1" 200 3370 "-" "WordPress/6.2.2; https://sub-zero.bg"
78.90.65.121 - - [29/Jul/2023:19:02:54 +0300] "POST /wp-cron.php?doing_wp_cron=1690646574.8230919837951660156250 HTTP/1.1" 200 3105 "-" "WordPress/6.2.2; https://sub-zero.bg"
157.245.202.8 - - [29/Jul/2023:19:02:53 +0300] "POST /wp-login.php HTTP/1.1" 403 5957 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
78.90.65.121 - - [29/Jul/2023:19:02:56 +0300] "POST /wp-admin/admin-ajax.php?action=async_litespeed&nonce=ccc996cc93&litespeed_type=imgoptm HTTP/1.1" 200 3370 "-" "WordPress/6.2.2; https://sub-zero.bg"
78.90.65.121 - - [29/Jul/2023:19:08:56 +0300] "POST /wp-cron.php?doing_wp_cron=1690646936.4019598960876464843750 HTTP/1.1" 200 3105 "-" "WordPress/6.2.2; https://sub-zero.bg"
20.92.138.57 - - [29/Jul/2023:19:08:55 +0300] "POST /wp-login.php HTTP/1.1" 403 5959 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
78.90.65.121 - - [29/Jul/2023:19:08:57 +0300] "POST /wp-admin/admin-ajax.php?action=async_litespeed&nonce=ccc996cc93&litespeed_type=imgoptm HTTP/1.1" 200 3370 "-" "WordPress/6.2.2; https://sub-zero.bg"
78.90.65.121 - - [29/Jul/2023:19:09:56 +0300] "POST /wp-cron.php?doing_wp_cron=1690646996.6897740364074707031250 HTTP/1.1" 200 3105 "-" "WordPress/6.2.2; https://sub-zero.bg"
94.23.61.165 - - [29/Jul/2023:19:09:55 +0300] "POST /wp-login.php HTTP/1.1" 403 5958 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36"
78.90.65.121 - - [29/Jul/2023:19:09:58 +0300] "POST /wp-admin/admin-ajax.php?action=async_litespeed&nonce=ccc996cc93&litespeed_type=imgoptm HTTP/1.1" 200 3371 "-" "WordPress/6.2.2; https://sub-zero.bg"
78.90.65.121 - - [29/Jul/2023:19:11:50 +0300] "POST /wp-cron.php?doing_wp_cron=1690647109.9357829093933105468750 HTTP/1.1" 200 3106 "-" "WordPress/6.2.2; https://sub-zero.bg"
35.187.58.136 - - [29/Jul/2023:19:11:48 +0300] "POST /wp-login.php HTTP/1.1" 403 5958 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
78.90.65.121 - - [29/Jul/2023:19:11:51 +0300] "POST /wp-admin/admin-ajax.php?action=async_litespeed&nonce=ccc996cc93&litespeed_type=imgoptm HTTP/1.1" 200 3370 "-" "WordPress/6.2.2; https://sub-zero.bg"
93.90.201.58 - - [29/Jul/2023:19:12:08 +0300] "POST /wp-login.php HTTP/1.1" 200 6640 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
Click to expand...


every plugin and wordpress is updated i don't have outdated.

Before all this started i had downloaded and upload wordpress on one domain but until i with for dns someone was able to load the website before me and installed the wordpress (on outside db server), but i deleted all files and installed it again (this is different domain and he is not affected) I have like 3 websites affected today two of them are custom php files and the third one is this sub-zero.bg which everytime i delete this code it appier again.
 
check another domains logs if they in same account, it can be hacked from enother domain in same account
 
Every folder of every websites have new folder "X" and few files. every .htaccess is replaced with new one

<FilesMatch ".(py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.php|wp-l0gin.php|wp-theme.php|wp-scripts.php|wp-editor.php|mah.php|jp.php|ext.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
Click to expand...

I have in every folder new folders and few new files like: radio.php about.php content.php.

I can delete it from all of my custom websites, but in wordpress not sure will be able to clean it all. Any malware i can install to remove it? I try to restore backup from 2 week ago, but for some reason i don't see any backups (i get everyday update that backup is created on my DirectAdmin notificaiton)
 
check accounts with ai-bolit or clamav, check processess maybe they still running and infecting again and again.
 
clamav is installed but can't start scaning when i type "clamscan -r -i /" nothing happed. Can you tell mehow to work with it
 
Also change your wp password.
You might want to consider installing Maldetect (click), this uses a combination of malware search and combines it with Clamav.
Works better than only clamav.

This will also run in cron so it can check every day if you want and it's free.
 
1698675393730.png

Maldet Result.
and files are still corrupted anyother software that will clear :?
 
Hard to say if maldet even doesn't find anything, which is odd. Did you configure to use clamav in maldet?
Seems clamav did find 1 infected file, unfortunately it's not clear if it cleaned or removed that file or which file it was.

Immunify360 has options too I guess, not sure, I'm not using that, but that is payware.
 
Could you show us your list plugins name of all Wordpress site ?

in the past month, there have many vulnerability of plugins and some development of that plugins leave it without update.
 
I found one company and already pay them to fix the server.
So it's working perfectly again :) thanks to everyone who try to help me with my issue :)

If someone have the same issue as me i can recommend them -> Rack911.com

They respond time was rly quick and they manage to fix the pretty fast.
If someone need more information i can answer them.

Again thanks to everyone who try to help me.
Regards,
 
Yes would be nice what they found and how they fixed it. There are more good company's out there which can fix things.
But the interesting thing is how/what they fixed.
At this moment I guess, they probably removed the malicious script.
 
maybe some plugins have another vulnerability, so they will keep it as secret and working with plugins developer before public posting.

that's reason he not posting to public about how to fixed this case.
 
Duckname said:
Every folder of every websites have new folder "X" and few files. every .htaccess is replaced with new one



I have in every folder new folders and few new files like: radio.php about.php content.php.

I can delete it from all of my custom websites, but in wordpress not sure will be able to clean it all. Any malware i can install to remove it? I try to restore backup from 2 week ago, but for some reason i don't see any backups (i get everyday update that backup is created on my DirectAdmin notificaiton)
Click to expand...
I have the same problem, did you know what was the problem? how did this happened? did you figure out how to prevent this from happening again?
 
You must log in or register to reply here.
Back
Top