Author Topic: Virus on some websites hosted on cwp server  (Read 4917 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Virus on some websites hosted on cwp server
« on: September 28, 2022, 11:26:37 AM »
Guys, client has some sites hosted with me and these sites are being hacked, index.php code is changed and inside the root is creating wp-admin, wp-content and wp-uncludes folders..
Remembering that the client does not use wordpress and the site was designed in laravel.




Server has mod_security enabled, firewall, clamAV, lynis, symlink, maldet, rkhunter and I made many security changes as per http://wiki.centos-webpanel.com/


Offline
*
Re: Virus on some websites hosted on cwp server
« Reply #1 on: September 28, 2022, 11:35:46 AM »
htaccess is being created in all directories of these sites with this content.
<FilesMatch ".(php|php5|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(access.php|locale.php|uninstall.php|themes.php|wp-login.php|xmlrpcs.php|admin.php|load.php)$">
Order allow,deny
Allow from all
</FilesMatch>

Offline
*****
Re: Virus on some websites hosted on cwp server
« Reply #2 on: October 15, 2022, 04:56:56 PM »
htaccess is being created in all directories of these sites with this content.
<FilesMatch ".(php|php5|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(access.php|locale.php|uninstall.php|themes.php|wp-login.php|xmlrpcs.php|admin.php|load.php)$">
Order allow,deny
Allow from all
</FilesMatch>


The changes were made by a WP plugin you installed.
You can ask me to solve any problem with your server for some money in pm  ;)
Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor
Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp

Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
***
Re: Virus on some websites hosted on cwp server
« Reply #3 on: October 16, 2022, 10:20:51 AM »

install wordfence (if you use wordpress) then scan. you will get all info
i was get this (not virus) hijacker... php shell
almost all directory have .htaccess with that value
and some directory have phpshell injector

htaccess is being created in all directories of these sites with this content.
<FilesMatch ".(php|php5|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(access.php|locale.php|uninstall.php|themes.php|wp-login.php|xmlrpcs.php|admin.php|load.php)$">
Order allow,deny
Allow from all
</FilesMatch>


The changes were made by a WP plugin you installed.

Offline
*****
Re: Virus on some websites hosted on cwp server
« Reply #4 on: October 27, 2022, 09:14:40 AM »
This code is incorrect and will never working. Do not use the plugin ;)
You can ask me to solve any problem with your server for some money in pm  ;)
Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor
Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp

Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
***
Re: Virus on some websites hosted on cwp server
« Reply #5 on: October 27, 2022, 09:23:52 AM »
Hi,

Have you found out where the infection is coming from, from a plugin or from somewhere else...?

Thanks in advance!

BR
Venty

Offline
***
Re: Virus on some websites hosted on cwp server
« Reply #6 on: October 28, 2022, 09:24:22 AM »
Hi,

Have you found out where the infection is coming from, from a plugin or from somewhere else...?

Thanks in advance!

BR
Venty

????

Offline
***
Re: Virus on some websites hosted on cwp server
« Reply #7 on: October 29, 2022, 01:29:37 AM »
Hi,

Have you found out where the infection is coming from, from a plugin or from somewhere else...?

Thanks in advance!

BR
Venty

 ??? ?


just dont try used nulled script even it came from forum B*. their trusted uploader and tester is not 100% consistant with first concept... and, never trust other site too... if you want to use nulled. better get from B* .... even not 100%clean. but better. dont trust license GPL....

play safe :D install wordfence

Offline
***
Re: Virus on some websites hosted on cwp server
« Reply #8 on: October 29, 2022, 08:32:51 PM »
I do not try used nulled script, but...??

htaccess is being created in all directories in public folder....

Offline
***
Re: Virus on some websites hosted on cwp server
« Reply #9 on: October 30, 2022, 01:22:40 PM »
install imunify360

Offline
***
Re: Virus on some websites hosted on cwp server
« Reply #10 on: October 30, 2022, 03:24:26 PM »
I do not try used nulled script, but...??

htaccess is being created in all directories in public folder....
you should check your cms script and/or your developer (if you have someone else to work with you)


Offline
*****
Re: Virus on some websites hosted on cwp server
« Reply #11 on: January 07, 2023, 10:36:52 PM »
I've had to clean up web shells and also spam sources on various WordPress installs over the years. This is not uncommon and requires much vigilance, as WordPress is a huge attack vector since it makes up such a large percentage of web sites. Here's a recent article about the latest wave. It ends with some salient advice:
Quote
WordPress plugins have long been a common means for infecting sites. While the security of the main application is fairly robust, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and distributing malware.

People running WordPress sites should ensure that they’re using the most current versions of the main software as well as any plugins. They should prioritize updating any of the plugins listed above.