Trying to find a cause of some phishing/malware uploads

Portal Home > Knowledgebase > Articles Database > Trying to find a cause of some phishing/malware uploads

Posted by ZacUSNYR, 09-23-2015, 04:41 PM
This problem has followed my server (previous a Cent OS 6 install and switched to a new Cent OS 7 server with new IPs). I have WHMCS installed and DirectAdmin. Running CSF and have setup some country code blocks for the most abusive foreign countries. The problem i'm running into - which has been the most recent one is i'm finding zip files (which are extracted and have contents of a phishing site). It's been 95% of the time a Google Drive phishing site. Google.zip is usually the zip file. The extracted folder is something different per every batch. Log is a valid login via FTP. The sites affected are managed by a single user - I reset all the passwords and emailed him the new passwords, within the hour I had these files back and my pure-ftpd.log file shows foreign IPs with a sign-in. He's on a Mac and is doubtful he's the culprit. He is using an FTP client called Cyberduck. I disabled Pure-ftpd and suggested to him to switch to FileZilla with secure FTP. I am at my whits end trying to figure out if someone is exploiting my server or if this is a case of an end user with a compromised machine/email (he's using yahoo mail). Anyone ever dealt with this? I blew away a couple old wordpress installs already hoping this was the culprit. The new passwords I created are strict/random/no dictionary words. Letters/Numbers/Symbols. Plus on brute force i'm blocking those IPs.
Posted by TheArmoAdmin, 09-23-2015, 04:50 PM
Hey ZacUSNYR, How sure are you that the file is being uploaded via FTP? I've typically seen stuff like this occur as an HTTP injected file. Before deleting the file, take down the timestamp on it with ls -l If it comes back with a recent date, compare to your Apache access logs. Are these files being uploaded to the same place?
Posted by ZacUSNYR, 09-23-2015, 06:51 PM
Only thing that makes me feel it's coming via ftp login is it's logging to my pure-ftpd log file. It's across multiple users/folders as well. Most of these sites are flat sites and a few folders having no php files at all. I'll check apache logs.
Posted by USHost247-ChrisGrigg, 09-23-2015, 10:36 PM
We also had this problem about 2 years ago, with random .zip files and such ending up on the server. We installed ConfigServer CXS and never had the problem again. I think it is $60/life time now, but it is most definitely worth the money. It found the files on the first scan and found the files that allowed the files to be injected. These types of things can happen when users have a script that is outdated and has exploits in them.
Posted by TheArmoAdmin, 09-23-2015, 10:48 PM
To add on to what USHost247-ChrisGrigg just said; you could also install linux-maldet (free, btw), and enable upload scanning. I run both maldet and CSX on my servers, and between the both of them they're 99.9% effective.
Posted by DivinePrad, 09-24-2015, 02:47 AM
Also, probably some vulnerable shells are left over under some websites with the help of which they are uploading the files again. If you are sure it is via FTP, then you need to reset all FTP passwords and do not share the passwords for a couple of days. You mentioned that the files are successfully uploaded even after resetting the password. May be someone's email is hacked through which the new FTP Details are obtained, otherwise they have admin privileges by which they can reset password. Run a full scan on all files using maldet and also reset the admin/root pass.
Posted by ZacUSNYR, 09-24-2015, 07:50 AM
Thanks guys, gives me some direction.
Posted by ZacUSNYR, 09-24-2015, 08:08 AM
Ran maldet it found two files in two different folders called seo64.php that it tagged as gzbase64.inject.unclassed.15 - I removed them and shared with the users he should make sure his local copy of the site does not have them. Hopefully this helps resolve this - thanks again!
Posted by USHost247-ChrisGrigg, 09-29-2015, 12:34 AM
Glad you were able to find some of the files that may be causing the chaos. Keep us updated on your findings!

Add to Favourites Print this Article