Hacked to pieces, need your help!

9 posts / 0 new
Last post
#1 Thu, 01/15/2015 - 17:05
Douglife

Hacked to pieces, need your help!

Hey all!

So, I'm running a few wordpress sites on my Virtualmin server, and it has been compromised.

I have spent hours upon hours with everything, and I've been able to limit it, but it keeps coming back.

I have rkhunter in, nothing odd, and I've been tracking the logs like crazy, but all I can see is where it's coming from, but then I can't track it down.

Setup: Virtual Server: Primary email disabled Running Securi and Wordfence plugins Only 1 email address in VS

When I go to postfix queue and I have emails from: virtualservername@myserver (no .com)

However I cannot for the life of me find this email account to disable it, and I believe it is happening to other virtual servers as well.

I am currently so frustrated and so are my clients that I am looking to other options, but really love virtualmin, so I'm hoping I can get some assistance here and stay on it!

Would love any input or help! Thanks so much!

Thu, 01/15/2015 - 17:42
andreychek

Howdy,

A common cause of what you're seeing is a vulnerability in WordPress, or a WordPress plugin. If attackers are able to access WordPress, they can then send out emails which will appear to be from the Virtual Server owner.

It can be tricky to find the culprit, but I'd recommend starting by verifying that WordPress is running the most recent version, as well as all of it's plugins.

You'd also want to review the various files located within the web root, and make sure that they appear to be legitimate.

You could also try using a tool such as Linux malware detect, which can aid in finding web-based breakins:

https://www.rfxn.com/projects/linux-malware-detect/

Thu, 01/15/2015 - 17:58
Douglife

Andreychek, thank you so much for your response. RK hunter is Not a linux malware tool? so far it hasn't found anything so will try LMD now.

I have also personally reviewed all wordpress files and plugins in the site, nothing. Took hours. Wordfence and Securi plugins do a great job of comparing wordpress files to the repository, and plugins as well. Nothing there either.

I've been digging through the mail.logs and nothing other than the virtualserver@servername emails.

Any other suggestions would be helpful.

Thanks!

Thu, 01/15/2015 - 18:34
andreychek

Howdy,

Rkhunter is a good tool, and I use it on my own servers, but the things it looks for are different than the things that the Linux malware detect tool look for.

If you're interested in finding web-based malware within your DocumentRoot, Linux malware detect has a higher chance of finding it.

Could you paste in the headers for one of the outgoing emails in your queue that are from "virtualservername@myserver "? That will help pinpoint whether it's related to web-based malware, or whether it's a compromised email account.

-Eric

Thu, 01/15/2015 - 19:04
Douglife
Return-Path: <>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on PURE-SEA-WOOF
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=5.0 tests=NO_RELAYS,TO_MALFORMED,
URIBL_BLOCKED autolearn=no version=3.3.2
X-Original-To: wagonermd@PURE-SEA-WOOF
Delivered-To: wagonermd@PURE-SEA-WOOF
Received: by dougm.us (Postfix)
id 76F1C6767F7; Tue, 30 Dec 2014 12:40:31 -0800 (PST)
Date: Tue, 30 Dec 2014 12:40:31 -0800 (PST)
From: MAILER-DAEMON@PURE-SEA-WOOF (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: wagonermd@PURE-SEA-WOOF
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="5E9036767F5.1419972031/dougm.us"
Content-Transfer-Encoding: 8bit
Message-Id: <20141230204031.76F1C6767F7@dougm.us>

This is a MIME-encapsulated message.

--5E9036767F5.1419972031/dougm.us
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host dougm.us.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<ryancolt.wagoner@gmail.com>: host gmail-smtp-in.l.google.com[74.125.28.27]
    said: 550-5.7.1 [192.169.44.15      12] Our system has detected that this
    message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam
    sent to Gmail, 550-5.7.1 this message has been blocked. Please visit
    550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131
    for 550 5.7.1 more information. o8si43443363pdm.4 - gsmtp (in reply to end
    of DATA command)

--5E9036767F5.1419972031/dougm.us
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; dougm.us
X-Postfix-Queue-ID: 5E9036767F5
X-Postfix-Sender: rfc822; wagonermd@PURE-SEA-WOOF
Arrival-Date: Tue, 30 Dec 2014 12:40:30 -0800 (PST)

Final-Recipient: rfc822; ryancolt.wagoner@gmail.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.1 [192.169.44.15      12] Our system has
    detected that this message is 550-5.7.1 likely unsolicited mail. To reduce
    the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked.
    Please visit 550-5.7.1
    http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550
    5.7.1 more information. o8si43443363pdm.4 - gsmtp

--5E9036767F5.1419972031/dougm.us
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <wagonermd@PURE-SEA-WOOF>
Received: by dougm.us (Postfix, from userid 1089)
id 5E9036767F5; Tue, 30 Dec 2014 12:40:30 -0800 (PST)
To: ryancolt.wagoner@gmail.com, doug@douglife.com
Subject: Anne
X-PHP-Originating-Script: 0:class-phpmailer.php
Date: Tue, 30 Dec 2014 20:40:30 +0000
From: Anne <ieqkkj@aol.com>
Message-ID: <7c4cd5b3f23c157266f500334ceb04b2@wagonermd.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.4 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8

From: Anne <ieqkkj@aol.com>
Subject: Anne

Message Body:
You need targeted traffic to your Contact Ryan Wagoner M.D. - Forensic Psychiatry | Ryan C. Wagoner M.D. website so why not try some for free? There is a VERY POWERFUL and POPULAR company out there who now lets you try their traffic service for 7 days free of charge. I am so glad they opened their traffic system back up to the public! Check it out here: http://swtuts.com/s/9

--
This e-mail was sent from a contact form on Ryan C. Wagoner M.D. (http://wagonermd.com)


--5E9036767F5.1419972031/dougm.us--
Thu, 01/15/2015 - 19:11
andreychek

Howdy,

The email headers there show that the email was original generated by the user with the userid "1089", using the PHP script "class-phpmailer.php".

That means it could have been done by WordPress itself, or it could have been done by another web app owned by that user, or it could be a malicious file uploaded to that DocumentRoot which isn't actually part of WordPress.

It looks like you're looking for a web-based file owned by that particular user though.

-Eric

Thu, 01/15/2015 - 19:27
Douglife

Eric, thanks so much! Can you tell me how to identify which VS is that userid?

Thu, 01/15/2015 - 19:43
andreychek

Howdy,

You can grep your passwd file for that particular userid.

For example:

grep 1089 /etc/passwd

The userid is the third column of that file, and typically the first number (the second number listed is the group id).

-Eric

Thu, 01/15/2015 - 19:53
Douglife

Thank you Eric for your help!!

Andrey, you were correct, found some trojan stuff in the site, thank you for the suggestion on the malware detect!!

Sticking with Virtualmin for the great product, but even more because of the community.

Topic locked