Someone is changing all php files and I don't know how !

Every few weeks someone or something would just add weird code like, "
on top of every php file on websites Iam hosting. Mostly the websites are wordpress but I have noticed that other non-wordpress websites I host get corrupted too.

I have tried to add file monitoring on wordpress files and checked the date and time at which files are changed. I have cross referenced the same date and time with ssh auth logs to see any successful break-ins. There were none. I have also checked the date and time with access.log for the individual website whose files were changed. Nothing really out of the ordinary

Of course everyone here is going to suggest to clean it up and start over but I really want to know how I am being hacked.

Here is my set up like;

ssh users

  • Root (still active)

  • User1

apache user & group

  • User1 | User1

All sites are located at

  • /home/User1/public/ e,g

Website 1

/home/User1/public/website1.com/public/(all files)

Website 2

/home/User1/public/website2.com/public/(all files)

All file permissions have set up accordingly as per linode tutorials. Directories are 755 while files are 644.

I am still learning linux administration so please be polite and help me, I'll be truly grateful :)

6 Replies

Yes a clean start is your best bet. Common attack vectors include

1. SSH brute force (note someone can delete their entries from the logs). You should only allow key access to SSH and disable password access.

2. Software vulnerabilities, make sure you keep your software packages up to date using apt/yum/whatever package manager your distro uses

3. Wordpress vulnerabilities. Again keep that and it's plugins up to date.

4. Wordpress burte force, if the user you're running PHP under can write to Wordpress files then a user could edit theme files via the Wordpress admin.

So in short after a fresh install

1. Make sure packages and wordpress are up to date

2. Disable ssh password authentication

3. If possible run PHP under a user that can't write to the wordpress files.

Thanks for the post obs.

"3. If possible run PHP under a user that can't write to the wordpress files."

May I ask how can I do that ? should I create a new user group and user ? change apache user ? If you can elaborate a bit more, it would be of great help.

It depends on your set up, assuming your using apache with mod-php then php is probably running under www-data simply setting the owner of your files to root (or whoever you log in as) and setting the permissions to 0644 will do the trick. The down side is you won't be able to use the auto update feature of wordpress.

sami1255,

  • Does your FTP allow anonymous logins? If so someone may have uploaded a small control panel that let's them have access to your files. You should check your logs around the time that these file modifications happen to see what other pages are being called.

  • Which user is the 'owner' of the files that are being modified? 644 doesn't help much if your apache user is the owner of the files.

MSJ

It should be noted that these suggestions about how to lock down WordPress are for your new system. Your system has been compromised and can no longer be trusted. There is no "cleaning" of the system to be done, it needs to be rebuilt from known good backups.

@Guspaz:

It should be noted that these suggestions about how to lock down WordPress are for your new system. Your system has been compromised and can no longer be trusted. There is no "cleaning" of the system to be done, it needs to be rebuilt from known good backups.
sami1255,

Guspaz is correct. Your server is dead in the water … but … before you migrate your database(s), settings, files, etc over to a new server you need to make sure that you are not bringing over your infection.

  • you should not copy your WP installs to the new server; install everything fresh.

  • you should not copy over any files that have executable extensions or permissions (no .php, no .pl, no .sh, etc).

  • any HTML files you bring over cannot include any PHP code in them, not even PHP variables.

  • you should not copy over any cache files.

You're going to need to make sure your database entries are clean too. It's possible that someone has infected your DB and when a certain page on your site is displayed the content from the DB is executed and causes the infection.

Does a request for a certain page - possibly a page that doesn't get much traffic - precede the return of the infection?

Is the infected content the same every time? Is it always in the same files?

MSJ

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct