18 Feb
2020
18 Feb
'20
4:30 a.m.
Hi All,
I need some help. I am out of my depth.
All my Wordpress sites have been infected by a virus that acts as
follows. Non Wordpress sits are not effected.
1) It permits the home page to partially show.
2) Then a pop-up requests authorization to continue (which I have not
clicked).
3) Then in the background the address line changes first to
create-space.com and then to adarath.com, before showing an advert for
gambling or porn, which depends upon your location and not your language
settings.
All google hits claim this is a browser virus, but I don't think it is.
Every check of my system comes up clean. Almost positive it is on the
server.
It only appears on the first visit to the site. If I clear cookies and
cache, then it reappears. My browser does NOT show this virus for any WP
site that is not hosted on my VPS.
Unfortunately I am in Thailand, supposedly having a holiday and meeting
my in-laws' family, and I have no access to my usual tools or the site
backups.
Has anyone any ideas how best to proceed?
Regards
Ian
--
Ian Hobson
Tel (+351) 910 418 473
18 Feb
18 Feb
6:07 a.m.
On 2020-02-18 04:30+0000, Ian Hobson wrote:
1) It permits the home page to partially show.
2) Then a pop-up requests authorization to continue (which I have not
clicked).
3) Then in the background the address line changes first to create-space.com
and then to adarath.com, before showing an advert for gambling or porn,
which depends upon your location and not your language settings.
[...]
It only appears on the first visit to the site. If I clear cookies and
cache, then it reappears. My browser does NOT show this virus for any WP
site that is not hosted on my VPS.
Personally:
1. check your local system's IP routing
2. check remote computer's web server modules, or .htaccess
3. disable PHP, does the same behaviour exist?
4. nuke it from space
I've been bitten by word press in the past, I don't think it works well.
If I had to use it again it would be within a container. One of the
issues with word press I find/found was around caching. It's not good to
have all page hits turn into DB queries, so it needs to create cache
files, even going to memcache is inefficient as it involves dynamic
loading. Ideally if wordpress could create static content via cron I'd
be happy.
I suspect something www could write to re-written htaccess, or if it had
some elevation to root, perhaps it has inserted a module into the
webserver that only inserts content when a cookie header isn't present.
Ed
--
Best regards,
Ed http://www.s5h.net/
19 Feb
19 Feb
2:10 a.m.
Hi Ian,
On Tue, Feb 18, 2020 at 04:30:21AM +0000, Ian Hobson wrote:
All my Wordpress sites have been infected by a virus
Tough one. If you're feeling paranoid you could boot the Rescue VM
so you have a clean environment to investigate things from, but it's
probably overkill. The most likely scenario is that the bad guys
have compromised your wordpress and written stuff only that the
wordpress / web server user can, not got root access or interfered
with the rest of the system. So you are probably safe investigating
from the VPS itself.
A thing I often do when trying to work out what has happened is just
to examine recently-changed files. If I find weird things I then try
to correlate their modify times with logging events, e.g. auth.log
for SSH connections or the web server logs for stuff being POSTed.
# find /path/to/web/stuff -type f -mtime -30 -ls
gets you things modified within the last 30 days.
If you can pinpoint when it happened then perhaps you can nuke the
sites and restore them to a point before the compromise. I know you
say you don't have access to backups but it's difficult to advise
anything else really…
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
20 Feb
20 Feb
12:32 p.m.
Hi All,
Sorted. It appears that all the ???posts tables contain a field called
post-content. The low-life had appended a
<script> tag to this field on every row.
After processing the backup file by replacing
),( with ),\n( to break the lines, I was
able to match <script>var _0x1e50=.*</script> and replace it with
nothing everywhere it was found.
Finally importing the backup file with phpmyadmin sorted all the sites!
Hope this helps any fellow sufferers in future.
Regards
Ian
On 19/02/2020 02:10, Andy Smith wrote:
Hi Ian,
On Tue, Feb 18, 2020 at 04:30:21AM +0000, Ian Hobson wrot
--
Ian Hobson
Tel (+351) 910 418 473
All my Wordpress sites have been infected by a
virus
Tough one. If you're feeling paranoid you could boot the Rescue VM
so you have a clean environment to investigate things from, but it's
probably overkill. The most likely scenario is that the bad guys
have compromised your wordpress and written stuff only that the
wordpress / web server user can, not got root access or interfered
with the rest of the system. So you are probably safe investigating
from the VPS itself.
A thing I often do when trying to work out what has happened is just
to examine recently-changed files. If I find weird things I then try
to correlate their modify times with logging events, e.g. auth.log
for SSH connections or the web server logs for stuff being POSTed.
# find /path/to/web/stuff -type f -mtime -30 -ls
gets you things modified within the last 30 days.
If you can pinpoint when it happened then perhaps you can nuke the
sites and restore them to a point before the compromise. I know you
say you don't have access to backups but it's difficult to advise
anything else really…
Cheers,
Andy
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
1:04 p.m.
Hi Ian,
On Thu, Feb 20, 2020 at 12:32:23PM +0000, Ian Hobson wrote:
The low-life had appended a <script> tag to this
field on every
row.
Glad you got it sorted. Did you ever work out how they got access to your database?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
9:39 p.m.
Andy said:
If it's only the database that's been fiddled with, I'd be wondering
about the security around phpmyadmin.
I'd also check they haven't played with the users.
If you don't need a dynamic site (e.g. for comments) it's well worth
using one of the 'make a static site out of this' plugins, then pointing
the webserver at the results, and only having the WP site live when
you're editing it.
Ian (not that one)
The low-life
had appended a <script> tag to this field on every
row.
Glad you got it sorted. Did you ever work out how they got access to your database?
1766
days inactive
1768
days old
5 comments
4 participants
participants (4)
-
Andy Smith -
ed-bitfolk@s5h.net -
Ian -
Ian Hobson