Posts Tagged ‘substr(md5($_GET[“localdate”])’

WordPress site hacked – places to look

May 9th, 2015

I recently had to clean a wordpress installation that got hacked.

I got the warning because I was getting emails saying that

Subject: Cron  echo '' > /var/www/vhosts/domainname/httpdocs/.cache.php
Content-Type: text/plain; charset=ANSI_X3.4-1968

/bin/sh: cannot create /var/www/vhosts/domainname/httpdocs/.cache.php: Permission denied

Looking at the issue, I found recently uploaded files by the apache user in the wp-content/ folder (and sub folders). I removed them and verified/changed the permissions on the folder as needed (generally 755) to prevent uploads. Once done, I still got those messages though, every 27 minutes.

This was because the command itself was actually a crontab job that was running. I found it by doing the following:

#su www-data
#crontab -e

I could now see the cron’s being run as the www-data user and there it was. The “su www-data” command makes me that user (i was already root, you might need to add sudo) and crontab -e showed me that users cron jobs.

Once i remove the line calling it, the messages stopped.

This, along with hardening the install (I also installed a wordpress security addon) should keep it safe.

if you found this helpful feel free to donate to:
ZEC: t1NQp1UuqQbmnXzazbLTSreS2AbaZpRBuTM
LTC: LZyNF1qkBUA7XFz83m5xwzGgmmj1owQn9d