Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Fri Mar 09, 2018 7:47 pm 
Offline
Senior Newbie

Joined: Sat Aug 15, 2015 4:53 pm
Posts: 13
Hi. Over the past week I've suddenly starting having an issue where I get an alert about CPU usage over my threshold. Sure enough, something is cranking up the CPU usage to 100% (sometimes more, however that's possible...) and it stays that way for hours unless I kill the process. The process is different every time, not only in its PID of course, but the name too. This last time it was named phpoRfrE2_ippme. It's always "php" followed by some numbers and _ippme.

I run several WordPress sites, and everything's fully up to date, and nothing looks hacked. I don't get a lot of traffic either. I have also scoured my logs for details as to what is hitting the sites at that time (of course, I have no idea which one it might be). The only oddity is beging bombarded by requests from something call BUbiNG (no relation to Bing crawler), which gives a source URL of http://law.di.unimi.it/BUbiNG.html, and which appears to be a perfectly legit crawler from Italy. I am going to exclude it in my robots file, and see if that fixes the problem.

But my main questions are: why would that be causing a problem? and has anyone else had this problem? And what is php(random)_ippme? My Google-Fu is not turning up anything.


Top
   
PostPosted: Sat Mar 10, 2018 4:29 am 
Offline
Senior Member

Joined: Sun Jan 24, 2016 4:30 am
Posts: 298
I've seen something similar a few months ago, but I am not sure if you have the same problem.

On a Wordpress site, the cpu would soar to 100% and wireshark showed weird non-web traffic. After some investigation, I found the following results. One of the Wordpress plugins had a vulnerability, a remote attacker used that to upload and execute a php script. This particular php script, once executed, it would delete itself and just remain resident.

Once the server was rebooted, the attackers script would be gone, but he would monitor this and remotely re-upload and re-execute the same script once the server was back online. This method, allowed the attacker to by-pass any file integrity checks, anti-virus scans and anything else that might cause the admin to think that something was wrong.

The attackers php script was basically doing mining for one of the less popular crypto currencies. Once the vulnerability was closed and the server restored from backup, the attacks stopped.

_________________
:idea: I love my computer... all my friends live there.



Top
   
PostPosted: Sat Mar 10, 2018 8:50 am 
Offline
Senior Newbie

Joined: Sat Aug 15, 2015 4:53 pm
Posts: 13
Well, I blocked that BUbiNG bot, but it didn't help. 4 am or so it started again.

IfThenElse, can you tell me more about this? Or where I can get more info? Wordpress and all plugins for all word press sites are up-to-date, and have always been kept up to date, so that might not be the issue, but I would like to investigate it more.

Any other suggestions would be greatly appreciated! I'm currently at a total loss.


Top
   
PostPosted: Sat Mar 10, 2018 9:53 am 
Offline
Senior Member

Joined: Sun Jan 24, 2016 4:30 am
Posts: 298
Well, hard to give advise out of thin air...

Since its wordpress, I'd start with disabling ALL plugins and removing them from the plugins directory (so they are not accessible at all). Then reboot for the memory resident process to go away, then download wordpress-latest.zip from the wordpress.org site and install it on top, just in case any files have been modified. Also change all passwords. If things improve then its obvious that wordpress has been compromised.

You can try various tricks, like use the "find" command to detect all modified files from the past X number days/weeks, CentOS comes with SELinux which will warn you about AVC errors. Run rkhunter or other popular detection engines. The rest is your typical hardening tricks, like mod_evasive, mod_security for apache, disable all exec (shell_exec, exec, etc) and remote access (curl, wget, etc) related function in php.

If you can't manage it yourself, then ask a professional, I believe Linode offers paid service that may help.

_________________
:idea: I love my computer... all my friends live there.



Top
   
PostPosted: Sat Mar 10, 2018 1:04 pm 
Offline
Senior Newbie

Joined: Sat Aug 15, 2015 4:53 pm
Posts: 13
OK, well, it looks like one of my sites was in some way script-hacked. My logs showed significant weird traffic to Contact Form 7 plug in. It seems Contact Form 7 hasn't be updated in ages, and may not even be maintained anymore. So I deleted it completely.

But somehow the attackers had modified numerous Wordpress PHP files to have includes to files that actually didn't even exist on the system (I checked, of course). Those modified files I restore to the latest official WP version. There were also lots of randomly named .php files, which I deleted. There was *also* an admin user installed called wp.service.controller.(some random stuff), which I of course deleted immediately and proceeded to change all legit user passwords.

The only extra plugin the site had was Contact Form 7, and that plugin is not on any of my other sites, which I verfied to be fine. So maybe that was the attack vector? I'm not sure. My uncertainty causes me some consternation. If I knew how they did this for certain, I could protect my sites in the future.


Top
   
PostPosted: Sat Mar 10, 2018 2:51 pm 
Offline
Senior Member

Joined: Sun Jan 24, 2016 4:30 am
Posts: 298
hah, Contact Form 7?? thats a malware in its self. It always had lots of exploits, to the point that I would wonder if the authors put them there on purpose. There are cases of plugins that have been taken over (bought from the original owner) and then filled with holes and malware.

In my experience, it is quite hard to completely clean a hacked site, usually there is always something left behind that you won't catch and eventually the attacker will be back. My suggestion in these cases, is to restore from backup and at the same time delete the offending Contact Form 7 plugin.

Based on your description, the modified files should have given you a clear and advanced warning that something went wrong, it is your responsibility to use file integrity tools like AIDE or Tripwire. In addition, the effects of the hack can be limited with process accounting and SELinux.

If you keep apache logs old enough, then you may get an idea how the attack started, google for Contact Form 7 exploits and see if they apply to your version of the plugin.

_________________
:idea: I love my computer... all my friends live there.



Top
   
PostPosted: Sat Mar 10, 2018 4:37 pm 
Offline
Senior Newbie

Joined: Sat Aug 15, 2015 4:53 pm
Posts: 13
Yeah, so some web searches turned up that Contact Form 7 has some security issues. I'm surprised its still in the WP plugins and not de-listed.

I've wiped and re-installed the site (had to keep the DB though, as that has all the content), and I've also installed WordFence, as that appears to be highly recommend for monitoring these sorts of things. I've installed that to all my sites now.

Thanks for your help on putting me on the right path to finding the problem.


Top
   
PostPosted: Sat Mar 10, 2018 6:22 pm 
Offline
Senior Member

Joined: Sun Jan 24, 2016 4:30 am
Posts: 298
I'm glad it all worked out for you.

Just for future reference, here is a good idea how to monitor Wordpress integrity.

  • Install AIDE
    Code:
    yum install aide
    .
  • Configure the /etc/aide.conf file, remove all the default paths (we don't care about root level hacks here). So just add the base Wordpress files, for example:
    Code:
    /home/whatever/public_html/index.php NORMAL
    /home/whatever/public_html/wp-admin/ NORMAL
    /home/whatever/public_html/wp-includes/ NORMAL
    
    .
  • Generate the initial database
    Code:
    aide --init
    .
  • Set the "new" database as the current one
    Code:
    mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
    .
  • Check for modifications with:
    Code:
    aide --check

You may do the check within a cron job, once a day or even several times a day. If anything changes Wordpress core files, you'll be notified of the change. The only downside, is that you will get notified when Wordpress updates itself, then you need to re-init the database, but that is not a big deal. You can even arrange for things to happen with Ansible.

_________________
:idea: I love my computer... all my friends live there.



Top
   
PostPosted: Sat Mar 10, 2018 7:43 pm 
Offline
Senior Newbie

Joined: Sat Aug 15, 2015 4:53 pm
Posts: 13
Ok thanks. Maybe I'll try that if WordFence doesn't work out (that's one of the main things it does, is monitor for modified and unknown files against wordpress base code and all known plugins and themes).


Top
   
PostPosted: Tue Mar 13, 2018 10:27 am 
Offline
Senior Member

Joined: Thu Nov 16, 2017 6:59 am
Posts: 137
You are probably compromised.

phpoRfrE2_ippme looks like a temporary name for an uploaded file. Someone found a POST exploit and uploads files to a location from which they can then execute code.

_________________
- emestee,
Lord System Administrator


Top
   
PostPosted: Tue Apr 03, 2018 7:03 am 
Offline
Senior Newbie

Joined: Tue Apr 03, 2018 6:48 am
Posts: 6
Compromised? Nah, I have seen this. Its SMTP 25 abuse. By default, the php configs have it setup, make sure you comment that out unless you are using it.
Here is a firewall I wrote when this happened to me.
https://github.com/diveyez/fw.sh


Top
   
PostPosted: Tue Apr 03, 2018 7:03 am 
Offline
Senior Newbie

Joined: Tue Apr 03, 2018 6:48 am
Posts: 6
Wordfence +1 btw, great tool, if used right.


Top
   
PostPosted: Tue Apr 03, 2018 7:11 am 
Offline
Senior Newbie

Joined: Tue Apr 03, 2018 6:48 am
Posts: 6
Use Ninja Forms instead of the 7. That will help, if you need help with Wordpress, let me know. diveyez@r2nhosting.com https://r2nhositing.com/site/tls


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
RSS

Powered by phpBB® Forum Software © phpBB Group