Netdata penetrates the apache log

So, Yui from WP.org gave even more powerful input and suggested to test that file via VIRUSTOTAL

It says it a crypto/gold miner. Well, that is pretty obvious then why the CPU is loaded so much. Now the question, how it got there via up-to-date direct admin, ubuntu 16.04, installatron, and up to date WordPress.
It says that file owner and file group is the username of that DA user, so I guess it is not a root. And file is writable. Quetion is how the hell that file is keep running, as it is no WP cronjob. It shows that file in Process Monitor. So maybe they created temporary file to run it forever. But how to do that with PHP, which is runtime. Did they had to get ROOT access, does users can really run infinite scripts / create processes?

-----
This is from VIRUS TOTAL:
Code:
File System Actions - Files Opened
/etc/ld.so.cache
/lib/x86_64-linux-gnu/libpthread.so.0
/lib/x86_64-linux-gnu/librt.so.1
/lib/x86_64-linux-gnu/libdl.so.2
/lib/x86_64-linux-gnu/libm.so.6
/lib/x86_64-linux-gnu/libc.so.6

Modules Loaded - Runtime Modules
/lib/x86_64-linux-gnu/libdl.so.2
/lib64/ld-linux-x86-64.so.2
/lib/x86_64-linux-gnu/libc.so.6
/lib/x86_64-linux-gnu/libpthread.so.0
linux-vdso.so.1
/lib/x86_64-linux-gnu/libm.so.6
/lib/x86_64-linux-gnu/librt.so.1
 
Last edited:
So how does this answer the question.
Read my previous post. You can't find the answer in the httpd error log. As I said, you will have to look at the domains logs. That is the answer to your questions. I explained how you can get to the domain logs in DA, you have to login as the user.
The server-status is just something which apache picks up from processes and reading domain logs.

So if you like it or not, you did got the correct answer to your question from me. Have a look in the specified users domain log!!!
If you don't know how to do this via DA, do it via SSH, if you want to play admin you have to have some basic knowledge.
I pointed out where the domain logs are for users.
In there you might be able to see which plugin or theme is causing this, because mostly it is indeed a plugin or theme.

Buying premium plugins does not guarantee that they are safe and don't contain vulnerabilities! That's not a thought, that is by experience.

Now I see your last post. Yes, sometimes a user can run infinitive scripts, I once had a user where a hacker managed to install a script and some files which generated a mail server so they could use it to spam. All they had to do is to access the php script from outside.

You now have to figure out if something like this is the case, or if indeed files in your /lib and other directory's at root level were infected.
Sometimes there are security flaws in OS or versions of applications (like php or apache) which can cause root access in specific cases.

Hard to say what happened now, especially because you were not prepared to do what was presented in the beginning.

Best option: hire a specialist to investigate, we got several here like smtalk and zeiter and sellerone.
It's not that I don't want to help, but it will take a lot of reading log files to start with. The SSH way, not the "login to DA and grep something" way.
 
Hi, Richard, you still did not answered, what do you enter in apache access log GREP in DA Admin -> Logs to exclude 'server-status' lines, to see the other lines. What do you enter in GREP field when you select 'Inverse' checkbox.
 
 
@ozzWANTED I didn't answer that because I don't use it that way and it's totally useless to look in the access logs and in the error log the server-status will not be present.
Next to that, I use the sysadmin way to fix stuff, so I go and look in the -correct- logfiles as I mentioned multiple times, not being the apache access and error log.
That way you can find how they got in. Stop focussing on server-status and netdata you won't solve the issue that way.
 
So we discovered that wp-admin/wp-update.php also has been hacked and has eval(…) in it. Also this virus blocked WordPress to notify on existing plugin and theme updates, so system was always showing that plugins, WordPress itself, and themes are up to date. So all this has been discovered via WordFence. Still we trying to figure out how does cronjobs has been started, or how that linux executive file got to be running/launched infinitely, even after server restart.
 
Stop focussing on server-status and netdata you won't solve the issue that way.
Well, we still don't know how the hack happened. So we want to check all. We are here on DirectAdmin forum, meaning that we **should** use DirectAdmin features it gives, and I want to know how to use that exact feature (GREP field with Inverse checkbox), as it for me helps to filter out results. It is not an error log, it is access log. And if there is too much data, it is hard to notice what is important. We still don't cannot confirm if that did not came from root level, while it is not expected, as the 'WP_UPDATE' file has been created by the user, as WinSCP shows, not by root. But it does not mean that file owner was not changed afterwards.
 
This is why I detest Wordpress with a passion, even though I have 80% of clients using the damn thing........ People should learn to code sites, that said, they'll probably put bad code in without realising!

TELL THE SERVER ADMIN TO TIGHTEN THE SERVER SECURITY, eg. maldet, CWAF, etc
 
We have ConfigServer Firewall (CSF) and Brute-Force Monitor (BFM) Integration with DirectAdmin on Ubuntu.
 
Back
Top