-1

I've faced a malware for my WordPress website which cause to send spam emails through my host.

After monitoring, I have noticed there are some strange files in my /tmp/ folder like this:

phpfxL6vs_3ckri2mkhyu6dqip6 & phpfxL6vs.c

which the file phpfxL6vs.c contains :

mine = stratum+tcp://xxxxxxxxxxxxxxxxxxxxxxxxxxx:x@xmr.crypto-pool.fr:3333/xmr

these files are created on even days ( like Oct 28, Oct 26, ... )

Up to now I can't find the source cronjob or script which causes this infection

hope someone could help me ....

Harkamal
  • 496
  • 3
  • 12
M.Zebeleh
  • 77
  • 8
  • This question isn't fit for SO. Although you could start looking at the plugins if you installed any nulled ones. – Stark Oct 31 '17 at 07:51

1 Answers1

0

A quick list which I usually do in these situations:

First: consider your system compromised. All of it. Trust nothing you see. If you don't find anything it doesn't mean it's not there, it might just be hiding.

Look at your access logs very hard. Most infections I've seen come via POST requests, but a GET with query parameters might be responsible as well. Also, since they might've installed a back door, look for any requests that directly call a .php file instead of /category/article-name/. Look for IPs sending unusually many requests, and requesting few/no images/css files.

This might give you an idea about where the breach began, and you can use that as a starting point to investigate further. Look at the file creation / modification times of those programs, and look at the access logs what happened around that time.

Change all passwords, WP user, ssh/sftp/ftp users, mysql etc pp. Look at every computer with ssh/ftp/WordPress admin access, you might be the source.

Update all Plugins, and WP Core if you didn't. And keep up with the updates.

Setup your wp-config.php to log all POST data, so you'll know exactly what is being sent if they use admin-ajax.php for example. That won't be a magic bullet, but it might give you something to start with.

Look at the error log. Intrusion attempts often create warnings or errors.

When you're confident you've found and fixed the issue, re-install your server and either start with a fresh install of WP in which you manually transfer your content, or restore from a backup that you are reasonably sure is clean (before anything happened). You can't really trust your backups at this point because you don't know when the initial infection happened, but it's not a perfect world and you have to get running again.

After fixing the issue and having a fresh and healthy site, don't stop monitoring POST data and suspicious requests in general for at least another month. It's unlikely that you are the specific target of somebody that will hold back a while to give you a sense of security, but you can't rule it out.

janh
  • 2,885
  • 2
  • 22
  • 21