Server hacked - how to start scanner from VM?

SYSTEM INFORMATION
OS type and version CentOS Linux 7.9.2009
Virtualmin version 7.5

HI, my server or better at least one WP website seems hacked, how can I run ClamAV or other scanner/repair from VM interface?

Thx

Dan

and regarding this ClamAV CVE-2023-20032 and CVE-2023-20052

how can I check for my update status?

Thx

Dan

You have to research any specific hack and follow the recommendations. Even then, that’s no guarantee. There are a few rootkit checkers. They only help to a point. Some give lots of false positives but might be useful when you know what you are looking for.

This is NOT a click a button and relax issue. Sorry.

1 Like

Can you even trust them. :cry:

Nature of the beast - they attract them like :fly: to :poop:

2 Likes

You’ll need to run freshclam first to make sure you’ve got the latest patterns, then

clamscan -r /folder of your choice. To scan the entire home

clamscan -rv /home

Its going to generate a lot of output (-v = verbose) so stick it in a file with > clam.log then you can trawl through it later.

As for wordpress, yep its a daily thing, just delete everything in the public_html and restore it from a backup is pretty much the only safe way to do it without spending a week picking through all the code.

Hope that helps, good luck.

2 Likes

thx Guys!!!

my admin could help, with maldet

Have a great sunday

Dan

ClamAV isn’t great for detecting WordPress or web app exploits.

There are tools for checking WordPress files against checksums, which would be a good start. You could just download a fresh tarball of WordPress (same version you have) and compare all your core files to that using diff, which does the same thing, and would show you what changes you have. As long as you’re following best practices for development, you’ll have very few changes and only in config files. Any other core changes would potentially indicate crumbs left by the attacker (backdoors, etc.).

You’d need to check all your plugins, too, in the same way (download a pristine copy, and diff between the installed one and the new copy). And, plugins are usually how folks get in…the WordPress core team is quite competent and has a good security record, third party devs vary wildly. You should be extremely careful about third party plugins, and review the code much more carefully than WordPress core.

As I said, there are tools that automate that, but I don’t know how good they are. I’ve never used them. I’ve been pretty lucky with my WordPress deployments…no attacks, so far. But, I mostly run pretty minimal installations with core and a few modules and a well-vetted theme.

2 Likes

I use this, they seem pretty good. there is a free plan for one site

P.S. I think you will need to pay for the cleaning (usual thing) if it finds something but least you know its wordpress issue.

1 Like

Thx Guys,

I so much appreciate your help and this community!

Seems that there still is a backdoor, because the malware files come back… and this site has a load of plugins :(a load of different usages for this site) :frowning:

@Joe didnt know that the plugins mostly are the “backdoor”, darn, would normally just reinstall wordpress itself, ok so in worst case I need to reinstall 15 or so plugins…thanks a lot for your help!

@stefan1959 Thx for the hint…does it also clear sites of malware? And do you also use Wordfence or such with it?

@GENLTD Thank you so much! Since my admin was available did not try that yet, but thats the info I needed, so am on my own this Sunday, so might be a lifesaver…THank you!!!

@Stegan thank you, yes, it really seems the “normal” tools like maldet (I think thats ClamAV, right?) do not find all

@ID10T oh oh… well on Monday my admin is back, we will go into the rootkit stuff

Damn, the ***holes, just because 1:10000000000 people is stupid enough to buy the Viagra they use my site to announce … they shall rot in hell!!! useless lowlifes

Question: It seems there is no VM interface to run these scans, right?

Thx to all of you
Dan

It only cleans on the paid version. The free will scan at least, if it does find anything you will have to decide to pay, the paid is good at stopping new infections and blocking hacks.
Ive never use Wordfence, maybe I should try when my one year is up.

@stefan1959 thx Stefan… I only use Wordfence free version, not sure if it would remove malware, seems good at blocking it … what you should have a look at is GOTMLS (nice WP plugin using maldet to my knowledge on the WP level)

Will have a deeper look at Malcare, too!

Best
Dan

Maldet does a great job for me. I have it configured like this,

It removes malware automatically sends me an email whenever it detects something. You should try it.

Can you give specific examples of what it has detected and alerted you too?

Yes, Here’s a one from few hours ago,

Have you verified these are indeed malware?

Yes, MutiOS.CoinMiner is a malware that mines cryptocurrency. Files may be from other projects. But they are infected. If you open these files, you can see encoded PHP code. High CPU usage is a sign for this kind of attack.

I think hackers are exploiting outdated WordPress plugins or PHP it self. This particular server runs PHP 7.4 for the most part and a lot of outdated plugins. My client is very slow to react to this, so I’m tackling this with Naxsi right now,

Which is stopping the attack altogether. But infected files needed cleaning. I used Wordfence plugin for that. Everything is back to normal now. Thanks to awesome free tools out there.

1 Like

Ah. My bad. I just saw the files and not the first part. SUITE!

1 Like

FWIW, I once got a site infeced… Cleaned the files and everything – fresh WordPress… But then the malware came back right away.

As it turns out, the malware has installed an application somewhere in the virtual file system (chrooted), and set up a user cron task for that. At that time I didn’t know a regular hosted site could do that, but apparently it can, and that malware was able to resurrect itself like that.

Is this actively maintained somewhere? I followed the links and did a search. I found nothing newer. I guess if the software works it is just a matter of signatures, but…

From CHANGELOG which seems to bear out what I saw on github:
v1.6.4 | Mar 18 2019:

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.