Attack on WordPress sites

SYSTEM INFORMATION
OS type and version REQUIRED
Virtualmin version REQUIRED

Debian 12 , Virtulamin Wersja Usermina 2.302 Wersja Virtualmina 7.30.8

Wersja Cloudmina 9.8 Pro

I have Cloudmin and 6 servers. I had an attack since July 24th, everything is down. I thought Virtulamin would provide protection for a single host? But they wiped everything on 6 servers connected to Cloudmin.

1 Like

I think that depends very much on how you installed it and how you set it up apart from the basic Virtualmin.

Use a plugin like wordfence in you worpress sites, it would block attacks.

A few questions about your setup

  1. Were all 6 servers running WordPress?
  2. Did you have Fail2Ban setup in WP Workbench?
  3. Did you have a security plugin installed (which one)?
  4. Did you disable xml-rpc?
  5. Do you proxy with Cloudflare or other provider?

Just trying to get a scope of what your actual situation is. I run quite a few WP sites on Virtualmin and other platforms, and may be able to help narrow down the root cause.

We’d need more information.

Define “protection”? Virtualmin configures WordPress (and any other app running on a Virtualmin-managed Virtual Host) to run as the domain owner user, so an exploit of one site won’t affect others.

How could that be related to WordPress? WordPress can’t “wipe everything”.

What does “wipe everything” mean? The entire server? Just the WordPress websites?

A few questions about your setup

  • Were all 6 servers running WordPress?
    yes
  • Did you have Fail2Ban setup in WP Workbench?
    no
  • Did you have a security plugin installed (which one)?

no

* Did you disable xml-rpc?
  • Do you proxy with Cloudflare or other provider?
    no, i have my own firewall on the servers and on the main router

run the daemon process and send spam, I have a vulnerability because the
servers where Worpdress was are under this attack, they contacted me and
demanded 500 euros in cryptocurrencies

Virtualmin won’t protect a insecure wordpress (or any other software) install.

/usr/bin/perl /usr/share/webmin/authentic-theme/xhr.cgi

This file has a CPU usage of 30% - it’s probably triggering a virus.
We’re still checking.

What has that got to do with wordpress xml-rpc ?

I’m not sure what are we fixing here ?

The first step is to identify how the attackers entered.

  1. If they have the right passwords, they can do whatever they want (You shall First change every password).

  2. If you have a virus, everything wrong can happens on these servers (You shall contact the Hosting provider and they must provide a minimum of assistance).
    A little note, if you used an extremely weak password, before the Virtualmin setup (and any kind of setup), when you installed the server, it’s an enormous security breach an probably the attackers entered at this time and waited the right moment to strike. (They might be already inside for 2 months)

  3. If there is an exploit with WordPress (And it’s possible, you shall contact them)

  4. If it’s not you who setup the server, the problem might be the “Dev” who installed everything (Hire a Better/Honest Dev, except if you didn’t pay the first, pay him and it shall work fine)

  5. Worst case scenario, If you have a spyware on your Home computer, attackers can do absolutely everything they want (You have to find and kick it)

There are a lot of other possibilities …

But first you have to discover how it happens. Without, it’s extremely hard to fix.

Whatever (It might be obvious), you shall NOT pay anything

Still none of this is related to Virtualmin (neither any Cpanel)

Yes, but all servers were connected via CloudMine. Root passwords were
created using KeepAss, 256-bit. We’re trying to determine where and how
this happened. This is my server, and we have a firewall installed on
every VPS.

We provide services to cyberplaneta.pl.

A firewall mainly closes ports for services you don’t want the general public to see such as your printer service. (EDIT: It can also be used by things like fail2ban to block IP’s and known bad actors) There is no way this helps with a vulnerable application. You can’t really firewall a public service like http/https.

On critical servers you could maintain logging on a separate machine that is write only so attackers can’t as easily cover their tracks.

Wordpress has a huge install base and therefore lots of miscreants looking for vulnerabilities. Most often this is a plug in and not the base. That is why you need, as mentioned above, a WP specific approach to protect it.

But, this is all guessing until you know HOW they got in. Good luck. Keep us informed.

Which leads to Sprzedaje.tv (A kind of demo site) which itself leads to klbtheme.com …? This make a lot of “unfinished” platform.

Still concerning the password it also depend when it have been created and how it’s stored

That’s the realtime data service for the Webmin/Virtualmin UI. It has nothing to do with WordPress. And is probably not triggering a virus.

30% usage seems high, if it’s always going, but I guess it could happen if you have a lot of active logged in sessions.

You’d need to look at the process list, lsof, and maybe an strace to see what processes it has spawned to know more about what it’s doing and if it’s doing something nefarious. Since that file is owned by root, I would be surprised if it’s been modified…but, if someone “wiped” all of your servers (you still haven’t explained what that means, I’m still guessing wildly about what problem we’re trying to solve…whether you have a root-level exploit or a WordPress exploit) via Cloudmin they’d have to have some sort of elevated privileges.

This seems to be a reseller site and the language is Polish. Seems to be selling VPS and WP sites. I’m not sure the OP is even using the same language convention we are expecting.

Server and VPS seems to be used interchangeably.

Is this ONE physical server?

It seems unlikely that every WP install would be affected on different VPS’s. Are ONLY WP sites located on these servers? Are the rest unaffected?

However if you reinstall the whole OS, Virtualmin, restore a backup and despite all of this the Hackers can still do whatever they want ….

I would say it narrow down the possibilities, it might be the app itself which allow them to enter inside the vault or you have a spyware somewhere. I may be wrong

I’m baffled by the fact that I have this on six servers in different locations, connected to Cloudmin, and everything is broken. I’ve already reinstalled the systems and uploaded uninfected copies.

It saddens me that this happened; I don’t know what to think. Is the system leaky, and how did this happen?

You still have not said how the intruder got access to the system can you share that with us or not ?

can you concentrate your efforts on just ONE server?

@Joe gave you a good pointer.
we still have little information on what you actually have running here

I asked, and you never clarified, the infrastructure. I realize you were perhaps a tad frantic but you have now done that in one sentence.

You need to look at every machine that accessed the Cloudmin interface for malware and perhaps, if possible, firewall by IP those that are allowed access.

Not much help now but maybe on the horizon for future (hopefully not) problems.

a scalable cybersecurity suite that automates many tasks involved in cyberattack investigations, and can schedule over 1,700 jobs per second and ingest over 10 million files per hour per permission group.

1 Like