Quote:
Originally Posted by wademac
Hey All,
For a few months now I have been trying to track down what is creating malware on a wordpress site, I have ClamAV installed and LMD and nightly it picks up the file that is created and Linux Malware Detect removes it, but I can not get the true reason this is happening, does anyone have any suggest. A search on Google did not provide me any direction on getting to the true issue.
|
So, for several months now that server has been faithfully delivering SPAM with brief interruptions of individual delivery scripts as they are temporarily removed by LMD.
My own google search for "wordpress php malware removal" produced about 30 billion hits, so maybe you should try to refine the search terms.
But all sarcasm aside, and I really do want to help... perform the following steps in this order to resolve the problem:
Code:
1. Remove that server from the internet immediately!
2. Remove that server from the internet immediately!
3. Remove that server from the internet immediately!
4. Perform whatever forensics you want, to identify original attack vector.
5. Wipe the system clean...
6. Configure and test firewall and other intrusion detection and access control methods of your choice.
7. Rebuild web server and CMS with fully updated and patched versions of all software.
8. Maintain the server with rapid updates of all security related patches going forward.
Honestly, ClamAV and LMD are NOT the tools to use for webserver security or maintenance - ever.
And as long as the system is internet accessible you have the proverbial not-a-hope-in-h*ll of cleaning it up - ever.
The appearance of the name "wordpress" in your description provides the best clue as to the most likely original attack vector, but your lack of mention of security beyond ClamAV and LMD also indicates some lack of knowledge of the threat landscape and applicable security methods.
So to summarize:
* REMOVE THAT SYSTEM FROM THE INTERNET IMMEDIATELY!
* Learn more about webserver administration, knowledge is the key!
* Realize that the system IS now compromised and CANNOT be cleaned as long as it remains online.
* Forget about "cleanup" and start thinking "reinstall from ground up".
And in case I have not emphasized the point sufficiently, PLEASE remove that system from internet access immediately, which will stop the flow of the millions of SPAM emails it has likely already sent as well as its participation in botnets, and interrupt the automated reinstallation channel which is much more efficient and effective at what it does than your periodic and totally ineffective LMD removal methods.
As you proceed along this recovery path, please tell us what you have done and ask for help as needed - AFTER that machine has been removed from internet access, in case I forgot to mention it.
You may think this advice harsh and unhelpful, but I really do intend it to be helpful and am willing to offer what specific help I can. But I want to emphasize CLEARLY that your machine has almost certainly been SPAMMMING and CORRUPTING OTHER PEOPLE'S SYSTEMS, literally "for months now", and you MUST put an end to that FIRST. Only then can you begin to cope with the real problem.
{HEX}php.base64.v23au.185
