Hacked Ubuntu

Discussion in 'Server Operation' started by fernandoch, Dec 7, 2019.

  1. fernandoch

    fernandoch Member HowtoForge Supporter

    Hello,
    I am getting hacked again and can't find the root cause.
    The problem is they create files with old dates.
    For example tonight they created new files with date from June, so it is extremely hard to find the root cause.
    Any ideas?
    Code:
    total 260
    -rw-r--r--  1 www-data www-data   436 Mar 15  2017 wordfence-waf.php
    -rw-r--r--  1 www-data www-data  1849 Jan 12  2019 9wes6ruv.php
    -rw-r--r--  1 www-data www-data  4764 Feb 27  2019 wp-trackback.php
    -rw-r--r--  1 www-data www-data  2283 Feb 27  2019 wp-comments-post.php
    -rw-r--r--  1 www-data www-data   369 Feb 27  2019 wp-blog-header.php
    -rw-r--r--  1 www-data www-data  1849 Jun 11 02:36 4b37qwwg.php
    -rw-r--r--  1 www-data www-data  1932 Jun 15 10:33 jshd26r4.php
    -rw-r--r--  1 root     root        58 Aug  4 11:30 ads.txt
    -rw-r--r--  1 www-data www-data  1849 Aug  7 00:43 124wumo1.php
    -rw-r--r--  1 www-data www-data  1932 Sep 19 17:45 jnv96d4x.php
    -rwxr-xr-x  1 www-data www-data  3155 Oct 31 19:32 wp-config.php
    -rwxr-xr-x  1 www-data www-data   420 Nov  2 23:30 index.php
    -rwxr-xr-x  1 www-data www-data  3150 Nov 15 19:08 xmlrpc.php
    -rwxr-xr-x  1 www-data www-data  3235 Nov 15 19:08 wp-config-sample.php
    -rwxr-xr-x  1 www-data www-data 31112 Nov 15 19:08 wp-signup.php
    -rwxr-xr-x  1 www-data www-data 19120 Nov 15 19:08 wp-settings.php
    -rwxr-xr-x  1 www-data www-data  8483 Nov 15 19:08 wp-mail.php
    -rwxr-xr-x  1 www-data www-data  3326 Nov 15 19:08 wp-load.php
    -rwxr-xr-x  1 www-data www-data  2504 Nov 15 19:08 wp-links-opml.php
    -rwxr-xr-x  1 www-data www-data  6939 Nov 15 19:08 wp-activate.php
    -rwxr-xr-x  1 www-data www-data  7616 Nov 15 19:08 readme.f08a4e343409e1e211811f9381210307.html
    -rwxr-xr-x  1 www-data www-data 19935 Nov 15 19:08 license.txt
    -rwxr-xr-x  1 www-data www-data 17935 Nov 15 19:08 licencia.txt
    drwxr-xr-x 20 www-data www-data 12288 Nov 15 19:08 wp-includes
    drwxr-xr-x  9 www-data www-data  4096 Nov 15 19:08 wp-admin
    -rwxr-xr-x  1 www-data www-data 47007 Nov 15 19:08 wp-login.php
    -rwxr-xr-x  1 www-data www-data  3955 Nov 15 19:08 wp-cron.php
    drwxr-xr-x 14 www-data www-data  4096 Dec  7 10:46 wp-content
     
  2. fernandoch

    fernandoch Member HowtoForge Supporter

    Some of the files:
    9wes6ruv.php
    4b37qwwg.php
    jshd26r4.php
    124wumo1.php
    jnv96d4x.php
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Examine web server logs. You seem to use Wordfence, I think that can also show what is happening.
    Are your Wordpress, Wordfence, plugins and all themes updated
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Also check FTP server logs.
    I your place I would shut down that site for maintenance, maybe stop web server or place index.html in the website root. And stop ftp server.
    Then check the updates for all things on that website and also on the operating system. Then change all passwords to at least 12 character long random strings. All passwords mean for that website: FTP user password, database password, control panel password if you have that, wordpress user passwords, shell user password. Maybe even root user password. Remove the files cracker added, and also check database for malicious stuff added. There is for example this: https://ispprotect.com/ More such tools can be found with Internet Search Engines.
    After maintenance is completed, start the website again and keep following ftp and web server logs for suspicous activity.
    Consider using fail2ban to block password guessing attempts.
     
  5. fernandoch

    fernandoch Member HowtoForge Supporter

    I have like 12 websites on that server, so not so easy to do...
    Not sure it is a passwords thing as they are all already very strong.
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What is hard in
     

Share This Page