Virus

  • Hello

    We had a virus attack on the side. Now the page is active again: hosteltromen.com

    After the new installation I used the virus scanner from cPanel and he gave me two results. Both log files from the logs directory of WP. The report was:

    logs / hosteltromen.com-Ago-2017.gz YARA.eval_post.UNOFFICIAL

    I then asked the support and this has written, it are only security copys. But that is not true?

    I am not familiar with log files, but I have opened it with notepad ++. Obviously all accesses to the page, with IP address?

    I then saw that many of these lines in the log file refer to wp-login. Here’s an example:

    2.93.66.233 – – [10/Aug/2017:22:24:22 -0300] “GET /wp-login.php HTTP/1.1” 404 – “-” “Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0”

    What does that mean? Wanted someone to log into WP? Or the one here:

    198.204.235.27 – – [07 / Aug / 2017: 14: 14: 35 -0300] “POST //xmlrpc.php HTTP / 1.1” 200 415 “https://www.google.com.hk” “Mozilla / 5.0 (Windows NT 6.1, WOW64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 42.0.2311.90 Safari / 537.36 ”

    What does POST mean? The site is very simple, you can not post anything, no comments, no forms. This access was very often one after the other, with the same IP, maybe 50 x!

    The virus attack was reported by the Hoster wiroos.com on 8.8.2017 with Supportticket. I want to find out how the virus came to the side and what a virus it was. The support says he does not know. The page was then locked on 8.8.2017 with a 403 and all files from the public_html moved to a different directory.

    The whole log file is here: https://portalpb.bplaced.net/logfile/

    Can someone help me?

    Greeting
    Patrick

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)

  • Hello, Patrick, & welcome.

    Several things, I think. Firstly, it does appear that there is some author scanning of your site occurring. I would personally suggest installing a security plugin like Wordfense, as 1 of its functions is to limit the number of times someone can attempt to log into your site w/incorrect credentials. You can search for new plugins on your dashboard using keywords like “limit logins” if for some reason Wordfense isn’t your cup of tea.

    I would further suggest changing your hosting provider’s control panel, database, & dashboard passwords following recovery of your site if you haven’t done so already. Make sure those passwords are very strong–& remember longer is better. You can get a password manager to remember them for you. Remember to update your database password in your wp-config.php file once it’s changed.

    Lastly, when I searched on Google for:
    site:hosteltromen.com
    I got some pretty suspect results. I’d highly recommend you consider joining Google’s Search Console (formerly webmaster tools) at google.com/webmastertools. You’ll need to verify your ownership of the site via whatever method you can. Once you’ve verified ownership, check both the ‘security issues’ & ‘Search Traffic’ > ‘manual Actions’ tabs. It will tell you if there is suspicious content. If you’re sure that your site has been cleaned, feel free to request a review from Google.

    Please let us know if this helps.

    Thread Starter retoGe

    (@retoge)

    Thank you Jackie for this help.

    I am trying to check the log file. I can see, that we have some IP, that are coming to the webside very often and send request every some seconds. Ok, I will try to find out, who this was.

    After 8. August I think, all the request for our side got a 404. I asked the support to tell me, at what time exactly they dedect the virus and when they blocked the side.

    If you have more information for me about the log file, please let me know. I am not very good in this things ??

    greetings
    Patrick

    Thread Starter retoGe

    (@retoge)

    I will post you here the support ticket from 8. August. It is in spanish, but the google translation is quite good. Maybe you can tell me something about the infectet files? Who is Marvin phph?

    Su sitio hosteltromen.com fue suspendido preventivamente debido a que estaba realizando envíos de SPAM.

    Los envíos estaban siendo realizados desde un archivo que creemos fue subido de forma no autorizada a su sitio web aprovechando una vulnerabilidad de seguridad.

    Hemos renombrado el directorio public_html por public_html_verificar para que no sea necesario suspender la cuenta completamente, pudiendo así utilizar el correo electrónico, y además tener la posibilidad de acceder a los archivos de su sitio web para resolver los problemas de seguridad.

    —-
    IMPORTANTE: Tenga en cuenta que en WIROOS somos muy estrictos en lo relacionado con SPAM y seguridad. Su servicio podría ser cancelado de manera definitiva en caso de que no sea cuidadoso con la seguridad de su servicio ya que Ud. es responsable por el mal uso del mismo.

    Por favor, no elimine simplemente los archivos que fueron subidos a su sitio, preocúpese por resolver el problema que permitió que esos archivos se suban, que es el problema de fondo.

    No le reste importancia a este asunto. Considere las pérdidas económicas que sufriría su negocio si su servicio es suspendido o cancelado.
    —-
    —-
    Colaboramos en la resolución de este problema compartiéndole el siguiente resultado de nuestro scan de virus y exploits:

    ‘/home/hosteltr/public_html_verificar/Marvins.php’
    # Known exploit = [Fingerprint Match] [PHP Shell Exploit]

    ‘/home/hosteltr/public_html_verificar/Mkutps.php’
    # Known exploit = [Fingerprint Match] [PHP Shell Exploit]

    ‘/home/hosteltr/public_html_verificar/af1d89.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscated Exploit [P1070]]

    ‘/home/hosteltr/public_html_verificar/eaiubnv3.php’
    # (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP Obfuscated Exploit [P1070]]

    ‘/home/hosteltr/public_html_verificar/gtde.php’
    # Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]

    ‘/home/hosteltr/public_html_verificar/index.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Attack [P1261]]

    ‘/home/hosteltr/public_html_verificar/phqmv.php’
    # Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]

    ‘/home/hosteltr/public_html_verificar/wp-config.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Attack [P1261]]

    ‘/home/hosteltr/public_html_verificar/wp-pols.php’
    # Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]

    ‘/home/hosteltr/public_html_verificar/cgi-bin/favicon_ea47a8.ico’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0803]]

    ‘/home/hosteltr/public_html_verificar/wp-admin/css/colors/midnight/fuxemngl.php’
    # Known exploit = [Fingerprint Match] [PHP COOKIE Exploit [P1037]]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/plupload-2.1.1/Moxie.xap’
    # (compressed file: Moxie.dll [depth: 1]) MS Windows Binary/Executable [application/x-winexec]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_admin/templates/field_generator/nextgen_settings_field_width_and_unit.php’
    # Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_tagcloud/Mrcrtq.php’
    # Known exploit = [Fingerprint Match] [PHP Shell Exploit]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fonts/Dcqdm.php’
    # (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0324]]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/qtranslate-x/comay.php’
    # Known exploit = [Fingerprint Match] [PHP Exploit]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/qtranslate-x/qutofxpe.php’
    # Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/so-css/lib/codemirror/addon/fold/Dcqdm.php’
    # (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP Shell Exploit [P0324]]

    ‘/home/hosteltr/public_html_verificar/wp-content/plugins/wp-google-maps/base/umezdvto.php’
    # Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/sketch/404.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/sketch/addon.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/sketch/header.php’
    # (decoded file [advanced decoder: 14 (depth: 1)]) Known exploit = [Fingerprint Match] [PHP WordPress Exploit [P0970]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/author-bio.php’
    # Known exploit = [Fingerprint Match] [PHP POST Exploit [P0892]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/extension.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/message.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/messages.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/twentyfifteen/single.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/twentysixteen/404.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P0877]]

    ‘/home/hosteltr/public_html_verificar/wp-content/themes/twentysixteen/js/Mrcrtq.php’
    # Known exploit = [Fingerprint Match] [PHP Shell Exploit]

    ‘/home/hosteltr/public_html_verificar/wp-content/uploads/extension.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]

    ‘/home/hosteltr/public_html_verificar/wp-content/uploads/message.php’
    # Known exploit = [Fingerprint Match] [PHP Obfuscation Exploit [P1082]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/Requests/IDNAEncoder.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/Requests/Exception/HTTP/401.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/Requests/Exception/HTTP/417.php’
    # Known exploit = [Fingerprint Match] [PHP POST Exploit [P1274]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/css/modules.php’
    # Known exploit = [Fingerprint Match] [PHP Exploit]

    ‘/home/hosteltr/public_html_verificar/wp-includes/js/jcrop/zcpghkcy.php’
    # Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/js/swfupload/gfaahgsu.php’
    # Known exploit = [Fingerprint Match] [PHP GLOBALS Exploit [P0923]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/random_compat/byte_safe_strings.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/random_compat/random_bytes_libsodium.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]

    ‘/home/hosteltr/public_html_verificar/wp-includes/rest-api/class-wp-rest-response.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]

    ‘/home/hosteltr/public_html_verificar/wp-snapshots/index.php’
    # Known exploit = [Fingerprint Match] [PHP Injection Attack [P1261]]

    —-

    Por favor háganos saber cuando el problema de seguridad fue resuelto para reactivar su sitio web.

    Atte.,
    El equipo de WIROOS

    Patrick, yo puedo leer Espanol. Perro no hablo o escribio mucho. Lo siento. You can, if you wish, receive support in spanish at es.www.ads-software.com/support.

    The hackers planted a shell on your server, which meant they could take total control. These filenames were part of it. These sorts of hacks often occur because the website wasn’t updated, old themes and plugins that had security problems were being used, or passwords were weak. Please do consider changing passwords to your hosting control panel, WordPress dashboard, & WordPress database, if you haven’t already done so, & please consider installing a plugin like Wordfense to prevent such occurrences in future. These steps will protect you, & also protect others from becoming victims of the criminals.

    Thread Starter retoGe

    (@retoge)

    Thank you,I have alredy done this things. Wordfense seems to be a very strong tool :-). Just I have some repords of google, that pages are hacked. But they are not more hacked. I tested it wird wordfense and the virusscanner from the hoster. I think I can solve this problem.

    What you write about this shell, is interessting. Why tehy try someting like this, on a webside of a simple hostel? Maybe because of the situation in Argentina? The oposition (Kirchneristas) are fighting a lot against the president. And the family of the hostel are kirchnerists. Strange…and criminal, no?

    greetings and thank you so much for your help
    Patrick Reto Bieri

    Patrick, much as victims like to think that a hack is personal, the truth is that it generally is not. This is the #1 question I get asked by victims when I’m helping them fix their hacked sites. 1 of the real problems is that people tend to underestimate the value of their websites. Spammers can take the site owner’s bandwidth to spread their spammy messages, they can infect the site’s visitors w/malware like ransomware or pay-to-click, they can send emails from your server until it gets a bad reputation, at which point they go elsewhere, they even hide their messages to humans & only display them to search engines, which seems like was the case w/your site.

    If you’re sure the site is clean, ask Google for a reconsideration. They generally get back in a week or less. It’d be good to get your site off their blacklist.

    If I ever get to Argentina, I’ll be sure to look you up & stay a night. But I want to go to Norway & Isreal first, & I doubt even those trips will happen, so don’t hold your breath or you might turn blue lol. Nonetheless, I wish you great & abundant success w/your hostel, & that includes your website. Protect it by making strong passwords, keeping it updated, & use plugins & themes whose code has been well maintained, & you should be good to go. & don’t hesitate to come back here or to the Spanish forum if that’s more comfortable if you need help.

    Thread Starter retoGe

    (@retoge)

    Thanks. Ok, I am ot the hostel owner :-). I am just a frequent guest and have done the website for them, as a help.

    Wordfence is working fine. 3 IP where blocked, as they tried to login the page. I will now put the time to block IP to 1 months.

    Hey, the south of Argentina is realy a nice place to visit. Best time is Ocotber to December or March to May. December to February is toruist time and every hostel is much more expensive. Somteimes 3 times more expensive!

    greetings
    Patrick Reto Bieri

    angelwp

    (@angelwp)

    @abletec Hello!, i have all day reading your answers in differents topics!, i have a already create my topic, title: How can i find and delete backdoor, i hope you can help me ??
    it’s good to see how there are people as dedicated as you helping out other developers

    • This reply was modified 7 years ago by angelwp.
Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Virus’ is closed to new replies.