Okay, so at work, we have a compromised server that uses Wordpress.

I've been having NO luck tracking down who the compromised account is on the server. Or if there are multiple compromised accounts.

I have been using:

tail -f /home/username/access-logs/* | grep POST| grep *.php

But that doesn't seem to work... and going through each user name one as a time is incredibly time consuming..

This is for Centos 6 and any help would be great!

OK. So what clues / alerts / remote reporting / other information do you have that you should share with us regarding the compromise?
- If it's spam sent, have you verified them using RBL searches?
- If you know FQDNs have you verified them via Gogole Safe browsing and similar resources?
- Have you verified the integrity of server software, system accounts, account and service access logs?
- Have you already made suspicious files / complete docroots inaccessible or done other things?
- Do you have Logwatch reporting and other resource monitoring that may help?
* Anything else: add it. The more nfo the better.


Old and vulnerable WP versions, plugins and themes are the usual suspects aka "low hanging fruit" attackers efficiently aim for. In some cases files may have been dropped in include, upload and other directories so that's (mtime-wise) something to look for. If you don't have remote reports then use this (also see this and this to get you going) or equivalent to automate searches from the command line with to enumerate versions as a starting point.

*BTW: I have requested this thread to be moved to the Linux Security forum as it's more appropriate there.

1 members found this post helpful.

Okay so what I can share without giving up client info:

We receive abuse reports for servers that are fully managed, then we have to investigate. Normally it seems like they're attacks that are based SOLELY on *.php file compromises.. such as wp-login.php and the like..

Most of the time the reports are from Google safe browsing, the main client has no idea how it happened, and their client is usually your less than average skill computer user.

We are allowed to investigate everything on the server and then report to the main client what we find, and normally it's because of the secondary client's old, out of date Wordpress plugins and stuff like Fckeditor.

Basically I just need to learn how to properly search for logs and search for compromised files? I am really friggen new to all of this stuff, and even though I keep google-ing for info, there's just SO much out there, I feel lost.

Couple of comments in order of priority:
0) Given it's the weekend you may be on duty? If that's the case and you're that new you should have a backup? And given the time and effort it takes you to separate "must have" knowledge from fluff and the knowledge it takes to get the right commands working I'd say it's time you contact your backup?
1) I would appreciate it if you don't classify others and especially not in any derogatory way. (LQ Rules, common sense and especially given your current level of expertise.)
2) You've answered a lot less than I asked for. If you don't know what I talk about then ask me to explain. Do note you need to help me help you.


That's one aspect, yes. but the first thing you should do is:
0) Disable (public) access to the web site(s) to mitigate the threat to others.
1) Read. I know, lotsa docs, but know WordPress has its own documentation so start with https://codex.wordpress.org/FAQ_My_site_was_hacked .
2) Run the commands you can given what you have read, post relevant information and ask specific questions.

Oops! Sorry about the derogatory comment.. I've been awake on night shift for too many hours and wasn't thinking.. My apologies!

No problem. Now fetch me some nfo I can help you with!

Okey dokey:

- Have you verified the integrity of server software, system accounts, account and service access logs?
I don't know how to do this.. :/
We normally use CPanel or WSP to do a lot of things, such as changing passwords and the like.

- Have you already made suspicious files / complete docroots inaccessible or done other things?
We're technically *not* allowed to change the clients files, we just have to find, and "show" them (aka prove) the compromised file/log/etc.

- Do you have Logwatch reporting and other resource monitoring that may help?
* Anything else: add it. The more nfo the better.

We use IP monitor for our logging, but other than that, no. I can't think of anything else that might help, I just know that it's normally someone brute forcing wp-login.php until they can POST, and upload files.

does a nice job of identifying infections.

"Our logging"...? Is that something 'other than' apache2 log defaults?
It usually starts in looking at /var/log/apache2/access.log
Ubiquitous Hardening WordPress
Password protect wp-login.php

Please let us know.

I'm sorry, night shift is really frying my brain.. IP monitor is how we monitor the servers, usually we find out that there's a problem because we get an alert that a servers snmpd has failed, and then upon running "top"
I'll hit "m" and then watch for which user is using the highest amount of CPU.

Possibly unhelpful comment:

Things like CPanel are frequently infection vectors. If you do need to use such things, be very careful that you keep on top of keeping them up to date, because old and vulnerable versions are a real source of problems.

The reason that this is possibly unhelpful just right now is that you don't need a list of things that could be problematic, or that are frequently problematic for other people, you need to home in on what has actually has gone wrong in this case.

1 members found this post helpful.

Yeah, exactly.. and it happens "A LOT", because we use cPanel pretty much on all the Linux systems, and for whatever reason, getting our clients to update/keep things up-to-date is incredibly difficult.