| Posted by kshazad86, 12-16-2011, 12:26 PM | | I've recently had a lot of accounts being infected with malware, mainly WordPress sites. They've been cleaned up now, updating WordPress, security plugins etc.
Does anyone know any thing I can do to prevent this from happening again from the server side of things?
|
| Posted by PISG, 12-16-2011, 12:34 PM | | Install antivirus and monitor it.
How it became infected? Someone uploaded file or?
|
| Posted by nomankhn, 12-16-2011, 01:59 PM | | It is mostly happen when you have 777 directories, monitor these directories. Mostly these directories have images so make sure there is no php scripts in those dirs.
|
| Posted by HostAdmins, 12-16-2011, 04:53 PM | | Perform a routine scan of your server files with LMD and you will get the info about files affected with malware.
Find out how they have been uploaded/affected.
|
| Posted by Steven, 12-16-2011, 05:01 PM | | You could be a victim of a known symlink based exploit.
Please read: http://forums.cpanel.net/f185/how-pr...rs-202242.html
There is a patch by us (page 4) and others in that thread. We have seen entire servers of wordpress compromised by that exploit.
Also are you checking to ensure that timthumb is upgraded on all of the accounts?
|
| Posted by fshagan, 12-16-2011, 09:37 PM | | Applying Occum's Razor, the most likely cause is outdated Wordpress core, plug in or theme files.
I use Configserver's CXS to scan for known exploits nightly; a similar opensource product is LMD (Linux Malware Detect) mentioned previously. And I follow the Wordpress dev blog news closely so I know when an update is available.
|
| Posted by beard, 12-16-2011, 09:51 PM | | Probably an outdated Wordpress theme or plugin that is running the vulnerable copy of TimThumb which has been a nuisance for a few months now since theme and plugin authors are not updating their themes with a new version of TimThumb
|
| Posted by billaa, 12-19-2011, 01:45 PM | | These things happens. Although using an upgraded Antivirus help to some extend. But even then you can't completely control malware infection.
So it is always better you update the back up everyday, so that you can restore all things very quickly; even if there are attacks.
|
| Posted by fshagan, 12-19-2011, 10:19 PM | | Antivirus has been mentioned twice in this thread, but AFAIK, anti virus does not detect malware like the typical Javascript redirect exploits.
LMD or CXS are your best defense in this case. CXS features the ability to scan uploads as they happen via FTP or FileManager to try and catch the malware before it actually does anything.
|
| Posted by hb9aj4fn, 12-20-2011, 04:11 AM | | Thanks. DirectAdmin has now applied your patch to custombuild. Nice.
http://www.directadmin.com/forum/sho...681#post214681
|
| Posted by Dexqt, 12-20-2011, 08:43 AM | | You wouldn't really need LMD or CXS if you monitor the software applications on your server, and keep them up to date to the latest stable release. That said of course keeping your kernel updated and patched will play a big role.
Not ruling those applications out, but why wait until the problem occurs when you can prevent it in the first place. Food for thought.
|
| Posted by fshagan, 12-20-2011, 11:51 AM | | The problem for hosting providers is having to check each and every one of their customer's sites for outdated scripts, plug ins and themes. The OP mentioned multiple "accounts" and asked for a server side solution.
I had 22 customers and I did check all of their sites every time there was a new release of Wordpress, Coppermine, Joomla, SMF, phpBB or Drupal. But it took a lot of time. That was OK, because I fully managed the sites. A host with a couple of hundred of accounts that he doesn't personally manage could never afford to take the time.
Server side solutions:
1. Doesn't Softaculous include an update facility of sorts, notifying the host when new releases of installed software are available? Getting all your users to always use Softaculous is a problem, though, as the "human element" is often the most difficult to control.
2. Nightly scanning for infections using LMD or CXS.
3. Good security practices (i.e., software firewall, limiting outbound email to 200 - 300 per hour, mod_security, etc.)
4. If you are looking for a certain script that is out of date, you can do what Mike did at MDDHosting a while ago, identifying the total number of all outdated Wordpress installations on his servers:
The first command gives the number of WP accounts, the second gives the ones that are not version 3.3. So let's say the first command says you have 18 installations total, and 3 are not version 3.3. How do you find them?
Using the date of the last known update, I look for the installations prior to that date (in this case, I'm using 20 days in the past):
This gives me other "version.php" files, and I'm not enough of a linux ninja to filter them better than that, but at least within the results are the 3 outdated files I'm looking for.
The ultimate solution may be silent auto-updating, as planned by Wordpress (although obviously missed in the 3.3 release this month).
|
| Posted by SOLONE, 12-20-2011, 12:44 PM | | We have seen a lot of these attacks logged on our Web Application Firewall and so far our customer wordpress sites have been spared from it.
I would recommend to have at least a WAF in front of these apps even by just using mod_security
|
| Posted by Steven, 12-20-2011, 02:14 PM | | Bitchin!!!
|
| Posted by Patrick, 12-20-2011, 02:28 PM | | Wonder if cPanel will make it an option for EasyApache...
|
| Posted by Steven, 12-20-2011, 02:33 PM | | Not in a million years. Too much ego.
|
| Posted by Farzadx, 12-26-2011, 03:28 AM | | Hello,
Has anyone suffered with LMD ? like killing .MYD files or ?
|
|
 Add to Favourites
 Print this Article
|
