php files appearing from no where on some sites??? Causing spam

Discussion in 'ISPConfig 3 Priority Support' started by rob_morin, Nov 21, 2016.

  1. rob_morin

    rob_morin Member

    Hello all, not sure if this is proper place for this but i dont know where else to turn. I have a few virtual hosting client wordpress sites that get compromised by a couple ways. One way is that the file index.php in the site's docroot /web, keeps getting overwritten with a "decodeurl" statement that redirects to a chinese site, if i delete the file it comes back, if i chown the file to root:root and chmod 0000 it still comes back?. I checked ftp logs, the client or no one else is uploading it via ftp. Thats one problem
    The second problem is a file named mod_imageslider.php that keeps appearing even though no one uploads it via ftp and the client has no clue about it. This mod_imageslider.php is used to send 1000's of spams. I added postfwd to postfix but it does not help to block outgoing emails, i thought it would, i guess its just for incoming. this web server does not accept incoming emails. I also install amavis on the web server it does not catch much as it thinks the emails are legit and the emails do not get a high score.
    I also purchased ispprotect and i ran last night, i will see what it says later today...
    Any ideas or suggestion? I am running latest ISPCONFIG
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    In almost all cases, this is caused by a hack in wordpress, so the file gets uploaded by code in a WordPress file (most likely an insecure plugin or theme file) and not by FTP. Check the access.log file of the website for POST requests. There are normally very few POST requests in a WP site and if one of them goes to a file that you do not expect to be the target of such POSTS, then this file contains most likely a vulnerability.

    that's normal in such a case and the owner of the file does not matter as a file (no matter of its owner) can be removed and replaced by the user that owns the folder where this file is in, the hacker code in wordpress can replace that file as the "web" folder is owned by the webID user and php of the site is run as webID user.

    You should check the files mentioned in the ispprotect report.
  3. rob_morin

    rob_morin Member

    Thanks Till I shall go over those result files today, since it scanned at 3am, and check for post commands in the affected site logs.
    Have a good day!


Share This Page