Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kurtmix

Pages: [1]
1
I'm not sure if the File Manager issue is resolved with the update because my server was recently hacked. Or it was hacked a while ago, but the hacker only acted now, because it only affected traffic to the sites I have on the VPS two weeks ago, and it only affected the .htaccess file since October 17th.
I've been closely monitoring the VPS since the 18th, and apparently nothing strange has happened again. However, I warn you that WordPress websites, in particular, have contaminated files. That is, in addition to new files, they also modify WordPress system files, and the only solution is deleting and restoring a backup.
Also, on WordPress websites, users appeared in the database that were not visible in the WordPress user manager. You need to remove them via PHPMyAdmin.
The hacker modified the robots.txt and .htaccess files to direct traffic to an online store.
I recommend everyone try a Google search for "site:yourdomain.tld" to check for abnormal results or redirects.

I recommend restoring backups of everything in the public_html folder because if any file is infected, the malicious files will reappear.

2
Yes, I am portuguese.
As far as I can see, I don't have folders with just a single letter. That's probably from a previous hack?

Quote
Two users were created on the WordPress sites, but these users are not visible in the WordPress admin panel. To see these users, you have to use PHPmyadmin.
Oh ok, i didn't know that. I haven't checked the users in the WordPress admin panel, I only saw them in the database like you did.
If you simulate the Googlebot user agent in your browser you'll be able to see the changes on your website. The defacement probably only activates for certain countries (I'm just guessing), because there is no other way to view it without simulating the Googlebot agent.
Make sure you remove usermeta data as well (from the database).

Quote
In wp-content folders dont find any php file.
had a few PHP files inside /wp-content/uploads and they were malicious (and by the look, they are from the same creator).

Quote
I renamed /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php, but the cwpanel filemanager still works. Is this normal?
With that change, Filemanager inside admin panel it still works, but in the user panel it doesn't work anymore.
Change your CWP panel port and add “Simple Authentication” to it - It has to be done manually.
That will help prevent future damage.
Yes, I am portuguese.
As far as I can see, I don't have folders with just a single letter. That's probably from a previous hack?

Quote
Two users were created on the WordPress sites, but these users are not visible in the WordPress admin panel. To see these users, you have to use PHPmyadmin.
Oh ok, i didn't know that. I haven't checked the users in the WordPress admin panel, I only saw them in the database like you did.
If you simulate the Googlebot user agent in your browser you'll be able to see the changes on your website. The defacement probably only activates for certain countries (I'm just guessing), because there is no other way to view it without simulating the Googlebot agent.
Make sure you remove usermeta data as well (from the database).

Quote
In wp-content folders dont find any php file.
had a few PHP files inside /wp-content/uploads and they were malicious (and by the look, they are from the same creator).

Quote
I renamed /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php, but the cwpanel filemanager still works. Is this normal?
With that change, Filemanager inside admin panel it still works, but in the user panel it doesn't work anymore.
Change your CWP panel port and add “Simple Authentication” to it - It has to be done manually.
That will help prevent future damage.

Obrigado pela resposta e também pelas dicas.
Perdi muitas horas a tentar perceber como conseguiram entrar no servidor e este tópico serviu de ajuda para entender o que sucedeu. Afinal o problema foi causado por uma vulnerabilidade e certamente o meu servidor já está contaminado desde cerca de 2 semanas, porque foi nessa altura que começaram a descer abruptamente as visitas orgânicas aos meus sites e foi outra situação que me causou confusão e não percebia o motivo. No dia de ontem o mallware substituiu os ficheiros de index e deixou os sites inacessíveis sendo isso o que me levou a investigar a causa.
Agradeço as dicas, mas mudar a porta não serve de muito porque basta fazer um scan às portas para descobrir qual é. A porta ssh estou constantemente a muda-la e mesmo assim são quase diarias as tentativas de login ssh.
O meu caso mudei a senha dos usuários e como o servidor é só para mim, deixo desativado o filemanager.php. Também limitei o número de envio de emails porque é muito comum que estas ações ocorram para fazer spam usando o servidor de email.
Vou ficar atento aos logs e espero que tenha ficado resolvido. Importa salientar que tenho ativo o firewall, antivirus e o mallware scanner, mas não foram suficientes para mitigar a intrusão.
Mais uma vez agradeço o feedback porque este tópico poupou-me muito tempo de investigação e análise.
Deixo apenas uma última anotação à parte do tema, este fórum submete a resposta em http em vez de https, algo invulgar. Vou ponderar deixar de utilizar este cwpanel porque já é a segunda vez que tenho um problema destes causado por vulnerabilidades do próprio painel.

3
I have the same problem. My VPS are infected.
Im using CWPpro version: 0.9.8.1218 and Rocky Linux release 9.5
After the intrusion i have problems with SEO, google results display titles from other sources.
My websites traffic has plummeted in the last few days because of this change. When I type site:mysomain.tld into Google, I see that the results point to my websites, but the text is different.
Does anyone else have this problem? Do you know how to fix it? How did you manage to change it? I've already submitted sitemaps to Google Search Console, but I'm not sure if it will work.

Hi, read all the thread, your problem is 100% related to this topic. Our servers were exploited to show an online store. Not sure what the hacker did to gain anything with this because the webpages were not defaced. Usually they get the google refer to deface the webpage.
Take into consideration that your server has a lot of backdoors installed. But, as I said, read the thread.

I believe your websites are in wordpress. So start by removing the new user the hacker added to your websites. Then install a fresh wordpress and start all over :)

Make sure you remove all .php files from "wp-content\uploads".

Apparently, you're Portuguese, and so am I.
The infected VPS has 12 sites, most of which are WordPress, but it also has two sites built from scratch and a forum in SMF.
All sites were affected, and what I discovered was the following:
- Index.php, .htaccess, and robots.txt were replaced on all sites.
- Several files and folders were added. Some of these folders had single-letter names.
- There were zip files, JPG files but with malicious code, and also fake CSS files.
- Two users were created on the WordPress sites, but these users are not visible in the WordPress admin panel. To see these users, you have to use PHPmyadmin.
- The robots.txt file had an error in the word "disallow" and contained a line like "sitemap: doamain.tld/?sitemap.xml," which I believe is used to trick Google into reading a different sitemap that isn't the correct one. Because Google started indexing several URLs that don't exist, meaning all the fake URLs are of the type https://domain.tld/?f=142558512. One of the websites has 4,000 pages in the original sitemap, but Google indexed 58,000 because of these fake URLs.
- The strangest thing is that the original URLs of the sites were kept, but in Google results, they appear with titles and descriptions different from the original content.
In wp-content folders dont find any php file.

I deleted all the strange files I found, deleted the users via phpmyadmin, restored the backups of the infected files, and submitted the sitemaps to the search engines.
I renamed /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php, but the cwpanel filemanager still works. Is this normal?
I'm afraid the vulnerability won't be fixed and that all the cleanup and file restoration work will be futile.
I'm guessing this issue will affect many servers and I don't see any response from the CWP team.

4
I have the same problem. My VPS are infected.
Im using CWPpro version: 0.9.8.1218 and Rocky Linux release 9.5
After the intrusion i have problems with SEO, google results display titles from other sources.
My websites traffic has plummeted in the last few days because of this change. When I type site:mysomain.tld into Google, I see that the results point to my websites, but the text is different.
Does anyone else have this problem? Do you know how to fix it? How did you manage to change it? I've already submitted sitemaps to Google Search Console, but I'm not sure if it will work.

5
CentOS-WebPanel Bugs / Re: CWP Installed Server down now
« on: August 01, 2016, 12:26:56 AM »
Ask for reboot from you service provider support

Pages: [1]