security breach, unknown cause…?

  • Hi guys, we experienced another file upload breach and cannot find the source. We got this report:
    The malware and virus scans have both completed on your files. The virus scan didn’t identify anything, however the malware scan reported the following (path is relative to `/home/mysite/public_html):
    {HEX}php.joomla.hide_in_google.454 : ./wp-includes/js/tinymce/plugins/plugin.php`
    Does this look familiar? I can’t find the HEX prefix in any file, visible or invisible… Also, we are getting some kind of processor overload in cPanel and it started around the same time:

    IMPORTANT: Do not ignore this email.
    This is cPanel stats runner on vps.imysite.com!
    While processing the log files for user imysite, the cpu has been
    maxed out for more than a 6 hour period. The current load/uptime line on the server at the time of
    this email is
    00:51:04 up 18 days, 3:23, 1 user, load average: 3.99, 3.99, 3.64
    You should check the server to see why the load is so high and take
    steps to lower the load. If you want stats to continue to run even with a high load; Edit
    /var/cpanel/cpanel.config and change extracpus to a number larger then 0 (run
    /usr/local/cpanel/startup afterwards to pickup the changes).

Viewing 5 replies - 1 through 5 (of 5 total)

  • Yes, this happened to us.

    Ths file was flagged by a malware scan:
    /wp-includes/js/tinymce/plugins/plugin.php

    As well as a directory full of strange links.

    I did Google search and found the following, which describes the issue.

    It appears to be a link building exploit, which I noticed in my analytics stats because we were getting hits on keywords that we never wrote.

    Now that I’ve deleted the offending folder, I’ll have to see if it’s resolved in the next few days. Right now, we’re getting a lot of weird search traffic because those weird links got indexed.

    Thread Starter jefferisp7

    (@jefferisp7)

    Which folder did you delete? I deleted the folder of bad links but the exploit has returned. Did you delete tinymc also?

    I deleted a few things.

    First off, I also deleted the folder of bad links which I found in:

    /public_html/[suspicious foldername]

    Then I deleted the file plugin.php found here:

    /public_html/wp-includes/js/tinymce/plugins/plugin.php

    (deleting tinymce will cause more bad than good. It’s part of WordPress in my case)

    Note, that plugin.php had 777 permissions when I found it. I first renamed it to plugin.php.bad and made sure my website still worked properly. After inspecting the content of the file, I confirmed that it was suspect, and deleted it.

    Finally, I noticed that my .htaccess file ALSO had 777 perms, which it should never have. I changed those perms to 644.

    And that’s it. Relatively easy to remove BUT our search traffic is messed up now since those links were indexed. I’m going to keep an eye out for anything weird in the next few days.

    Thread Starter jefferisp7

    (@jefferisp7)

    thanks, following your example.

    You’re welcome. Let us know if that works!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘security breach, unknown cause…?’ is closed to new replies.