LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 05-14-2016, 12:04 PM   #1
wademac
Member
 
Registered: Apr 2008
Posts: 43

Rep: Reputation: 19
Question {HEX}php.base64.v23au.185


******************************************************************************************

Last edited by wademac; 05-14-2016 at 03:34 PM.
 
Old 05-14-2016, 01:40 PM   #2
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,221
Blog Entries: 11

Rep: Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172
Quote:
Originally Posted by wademac View Post
Hey All,

For a few months now I have been trying to track down what is creating malware on a wordpress site, I have ClamAV installed and LMD and nightly it picks up the file that is created and Linux Malware Detect removes it, but I can not get the true reason this is happening, does anyone have any suggest. A search on Google did not provide me any direction on getting to the true issue.
So, for several months now that server has been faithfully delivering SPAM with brief interruptions of individual delivery scripts as they are temporarily removed by LMD.

My own google search for "wordpress php malware removal" produced about 30 billion hits, so maybe you should try to refine the search terms.

But all sarcasm aside, and I really do want to help... perform the following steps in this order to resolve the problem:

Code:
1. Remove that server from the internet immediately!
2. Remove that server from the internet immediately!
3. Remove that server from the internet immediately!
4. Perform whatever forensics you want, to identify original attack vector.
5. Wipe the system clean...
6. Configure and test firewall and other intrusion detection and access control methods of your choice.
7. Rebuild web server and CMS with fully updated and patched versions of all software.
8. Maintain the server with rapid updates of all security related patches going forward.
Honestly, ClamAV and LMD are NOT the tools to use for webserver security or maintenance - ever.

And as long as the system is internet accessible you have the proverbial not-a-hope-in-h*ll of cleaning it up - ever.

The appearance of the name "wordpress" in your description provides the best clue as to the most likely original attack vector, but your lack of mention of security beyond ClamAV and LMD also indicates some lack of knowledge of the threat landscape and applicable security methods.

So to summarize:

* REMOVE THAT SYSTEM FROM THE INTERNET IMMEDIATELY!
* Learn more about webserver administration, knowledge is the key!
* Realize that the system IS now compromised and CANNOT be cleaned as long as it remains online.
* Forget about "cleanup" and start thinking "reinstall from ground up".

And in case I have not emphasized the point sufficiently, PLEASE remove that system from internet access immediately, which will stop the flow of the millions of SPAM emails it has likely already sent as well as its participation in botnets, and interrupt the automated reinstallation channel which is much more efficient and effective at what it does than your periodic and totally ineffective LMD removal methods.

As you proceed along this recovery path, please tell us what you have done and ask for help as needed - AFTER that machine has been removed from internet access, in case I forgot to mention it.

You may think this advice harsh and unhelpful, but I really do intend it to be helpful and am willing to offer what specific help I can. But I want to emphasize CLEARLY that your machine has almost certainly been SPAMMMING and CORRUPTING OTHER PEOPLE'S SYSTEMS, literally "for months now", and you MUST put an end to that FIRST. Only then can you begin to cope with the real problem.

Last edited by astrogeek; 05-14-2016 at 01:47 PM.
 
  


Closed Thread

Tags
clamav, malware, wordpress


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Rash of wget -c http://185.14.30.79/S0.sh - what is it? battles Linux - Security 2 01-23-2015 02:32 PM
Passable nouveau kernel driver bug (MMIO read of [hex l] FAULT at [hex l]) marbangens Linux - General 1 05-24-2013 01:35 AM
how to convert PHP hex date and time ohcarol Programming 3 04-17-2013 06:20 AM
Decoding Base64 encoded PHP scripts on Linux Server charu Linux - Newbie 2 01-18-2011 11:57 AM
Hex output of a hex/ascii input string mlewis Programming 35 04-10-2008 12:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration