Hi all

I am managing a small website for a friend and I got hacked. I wonder if anyone can help me identify how and prevent it from happening again?

What happened - someone modified functions.php. They added some code to the file, then renamed it to functions.php123.

How can I see how they managed to get in to that file? What do I need to do to prevent them from getting in again?

Thanks

When in networking certain files you can set to no modify even root.
I hope some one in here with networking picks this thread up.

in general you need to secure your host and web server, but that is not that simple. So there is no "single-command" solution, but you need to check all your services, configurations, permissions, network settings (and a few other things).
Additionally you may need to check your log files to find out what's happened.

All of these settings depend on your hardware and software and hard to give you any help without knowing anything about that.

Log files might tell you what happened, (though depending on the attacker's level of access/competence they could be wiped/forged).

Most likely it's because you're running insecure code that trusted user input and allowed someone to inject their own code.
(There's a number of ways to do that, and it's hard to say more without seeing the code.)

Another possibility is there's a weak password in use somewhere which they managed to determine.
If so, change all relevant passwords, and consider whether any other accounts linked to same/similar emails need addressing.

There's other possibilities, but really there's no point saying more: in all situations step 1 is talk to your hosting provider.

On a shared-hosting environment, sometimes the host does not properly set the security rules for each user's account ... it is actually possible for another user to cd into your home directory, examine its content, and perhaps modify it.

Your web site should be running under a user/group, such as nobody, that does not have write-access to any directories that contain code or resources. If the program needs to write somewhere, only that location should be read/write to it, and it should not be possible for a user to get a directory listing.

Unfortunately, most hosts do not use OpenVPN nor provide VPN-first access to their resources – they simply expose ssh and they usually allow passwords (not certificates). Therefore, your passwords must be pure-random and changed frequently.

Basic reasons are:

• wrong permissions or ownership on files (if I type the URL of a script or key file, will it come up in my browser?)

• incorrect configuration

• using unsanitized user input (just ask Bobby Tables)

• unpatched vulnerabilities in software

• leaving services running that you don't need (ftp, print)

• using insecure add-ons (looking at you, Wordpress)

• default or simple or no passwords (you wouldn't do that, would you?)

Some features that may or may not apply: Only allow login/admin on a separate management IP with strict firewall rules. Do remote logging so if (when) you get hacked, they can't wipe the logs. Test on a separate machine; wipe and reinstall everything on update.

2 members found this post helpful.

If you are using Wordpress check the extensions you loaded to see if they have a reported security hole. That is the most common way people get access to sites running Wordpress.

Thanks everyone for the replies. Definitely some things to look at there.

One question on all this... When the server was made and Wordpress installed, I noticed that all the wordpress files were owned by a certain user (let's call it UserX). Most of the files have rw-r--r-- rights. Most folders have rwxr-xr-x. Does that look right?

I don't understand how I can tighten that down any more without accidentally locking myself out of being able to access the files.

Thanks

From memory, that sounds about right - I think there's documentation somewhere on the Wordpress site that explains the different folder permissions - but permissions protect your files from other users on the server, they're less relevant if the attacker gets in through a vulnerability in Wordpress (or more likely, one of the plugins), and thus can execute their own PHP code.

You can try putting the names of the plugins you're using into a vulnerability database search - if something comes up you need to check the details and fix it (might be as simple as upgrading to latest version), through if nothing comes up that doesn't guarantee security.

Is it possible that a theme or other proper use caused this?

Thanks for the replies - all good stuff.

How could I tell if it is a theme?

It happened again last night so I still haven't fixed the problem. They managed to alter functions.php again.

I ran the 'last' command but all I saw was my own logins.

Any thoughts as to how I can actually see the hackers activity? If I could see that I might be able to understand where they are getting in.

Interesting thing is the time stamp on the file was 02 July - so it's not even showing that it was edited last night.

Thanks

Try running a clamav scan on the system to find any command shells they are uploading giving them remote access.
The location of anything you find might give a clue as to how they are getting in.

No telling how a hacker got in, if they really did.
I'd consider recording network packets. Then search again if fails. Step up the firewall to include white list, black list, geo limits.
There have been some holes in wordpress a long while ago.

Do you notice the changes? What are the changes other than file?

I didn't notice any other changes. The user had inserted code to create a user in the wordpress db. It looks like they weren't successful and as far as I can see they didn't get any further than that.

But it is interesting they tried the exact same thing 2 nights in a row.

Personally i would backup everything to somewhere else. Wipe the server. Restore the site from backup. Then harden the crap out of it. Although if you are using Wordpress thats almost like trying to bailout a sinking ship with a thimble.

As an admin you can do a certain amount to secure the backend, but the website side is a different matter. Unless you are an experienced programmer you will not be able to shore up the wordpress problem. You can probably mitigate it up to a point by keeping on top of patches and updates, but their is always a possibility that the attacker is using a zero day that no one has found yet.

One thing you could try is restore the functions.php from backup then make it immutable (chattr +i). Presumably that file has no need to be changed very often. In fact any file that doesnt need to be changed you could do the same with. Its very sledgehammer to nut level, but it should work if you are running the webserver as a non-privileged user (preferably with no login). If it then gets changed again, well you have bigger problems because the attacker has found and is probably using a privilege escalation exploit, since only root can remove the immutable attribute. If that happens, look at your root password, get rid of sudo if its installed, in fact get rid of sudo regardless or lock it down so no one can use it.

ClamAV could be a port of call, definitely rkhunter/chkrootkit as well. If it finds a rootkit, then you definitely need to scrub the server and start over.

Good luck. I've been there in the past. I didnt faff around. I just wiped it, restored it and moved on. You can spend weeks trying to work out how they got in, but without a bunch of experience and maybe some pentesting knowledge you will struggle. If everything is up to date and it happened regardless, its either a password issue or maybe a zero day. You could also maybe email the logs to yourself every 15 mins for a couple of days to try and work out how they are getting in.