1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to discover which php file allows malicious file upload?

Discussion in 'Apache' started by postcd, Oct 10, 2014.

  1. #1
    Hello,
    SEMrush
    i manage linux apache webserver with a few wordpress blogs and from time to time i see someone inject a malicious .php file into wp-content/uploads/2014/10/ directory.

    i think its some bad plugin or theme, but these is more blogs, i ugrade, update, WP, but

    please advice me how can i setup some monitor to tell me which php file (or even line in php file) injected that malicious .php ?
    I have linux root access so i can setup anything
     
    postcd, Oct 10, 2014 IP
    SEMrush
  2. pavv

    pavv Active Member

    Messages:
    258
    Likes Received:
    6
    Best Answers:
    1
    Trophy Points:
    70
    #2
    You should use mod_security with some good rules.
     
    pavv, Oct 10, 2014 IP
  3. billzo

    billzo Well-Known Member

    Messages:
    961
    Likes Received:
    278
    Best Answers:
    15
    Trophy Points:
    113
    #3
    Hackers like to stick in back doors so they can regain access to an account if the main exploit code is found. You may have more than one place where hackers are getting in. In such a situation, it is best to change all of your account passwords, back up your files (and database) and install all files fresh using files you know for certain are not compromised. You don't have to reinstall your database, but you should check the posts table and look for any encoded/obfuscated data, iframes, and malicious javascript.

    Also, are you using any plugins? Insecure plugins are often used as attack vectors.

    I don't know what logs are available to monitor activity to see who is doing what. If they have access to your account, they could delete any log file entries anyway.

    http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html
     
    billzo, Oct 11, 2014 IP
  4. postcd

    postcd Well-Known Member

    Messages:
    1,005
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    190
    #4
    Thx for the tips, hacker injected new malicious file into wordpress root directory while i set this directory permission to 555 (no write bit, 7) and set random hosting account password from within server control panel via HTTPS connection. THen when file was injected i see wordpress root folder permission is back to 755, its strange..
    When looking PHP info page, i found no "chmod" occurence.
     
    postcd, Apr 17, 2015 IP