Control Web Panel
WebPanel => Information => Topic started by: akechi on September 28, 2022, 11:26:37 AM
-
Guys, client has some sites hosted with me and these sites are being hacked, index.php code is changed and inside the root is creating wp-admin, wp-content and wp-uncludes folders..
Remembering that the client does not use wordpress and the site was designed in laravel.
(https://i.imgur.com/vHYkY5A.png)
Server has mod_security enabled, firewall, clamAV, lynis, symlink, maldet, rkhunter and I made many security changes as per http://wiki.centos-webpanel.com/
-
htaccess is being created in all directories of these sites with this content.
<FilesMatch ".(php|php5|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(access.php|locale.php|uninstall.php|themes.php|wp-login.php|xmlrpcs.php|admin.php|load.php)$">
Order allow,deny
Allow from all
</FilesMatch>
-
htaccess is being created in all directories of these sites with this content.
<FilesMatch ".(php|php5|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(access.php|locale.php|uninstall.php|themes.php|wp-login.php|xmlrpcs.php|admin.php|load.php)$">
Order allow,deny
Allow from all
</FilesMatch>
The changes were made by a WP plugin you installed.
-
install wordfence (if you use wordpress) then scan. you will get all info
i was get this (not virus) hijacker... php shell
almost all directory have .htaccess with that value
and some directory have phpshell injector
htaccess is being created in all directories of these sites with this content.
<FilesMatch ".(php|php5|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(access.php|locale.php|uninstall.php|themes.php|wp-login.php|xmlrpcs.php|admin.php|load.php)$">
Order allow,deny
Allow from all
</FilesMatch>
The changes were made by a WP plugin you installed.
-
This code is incorrect and will never working. Do not use the plugin ;)
-
Hi,
Have you found out where the infection is coming from, from a plugin or from somewhere else...?
Thanks in advance!
BR
Venty
-
Hi,
Have you found out where the infection is coming from, from a plugin or from somewhere else...?
Thanks in advance!
BR
Venty
????
-
Hi,
Have you found out where the infection is coming from, from a plugin or from somewhere else...?
Thanks in advance!
BR
Venty
??? ?
just dont try used nulled script even it came from forum B*. their trusted uploader and tester is not 100% consistant with first concept... and, never trust other site too... if you want to use nulled. better get from B* .... even not 100%clean. but better. dont trust license GPL....
play safe :D install wordfence
-
I do not try used nulled script, but...??
htaccess is being created in all directories in public folder....
-
install imunify360
-
I do not try used nulled script, but...??
htaccess is being created in all directories in public folder....
you should check your cms script and/or your developer (if you have someone else to work with you)
-
I've had to clean up web shells and also spam sources on various WordPress installs over the years. This is not uncommon and requires much vigilance, as WordPress is a huge attack vector since it makes up such a large percentage of web sites. Here's a recent article (https://arstechnica.com/information-technology/2023/01/hundreds-of-wordpress-sites-infected-by-recently-discovered-backdoor/) about the latest wave. It ends with some salient advice:
WordPress plugins have long been a common means for infecting sites. While the security of the main application is fairly robust, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and distributing malware.
People running WordPress sites should ensure that they’re using the most current versions of the main software as well as any plugins. They should prioritize updating any of the plugins listed above.