Trying To Figure Out a Hacked Server: Chapter Two, What I Have Learned So Far

So this is chapter two of trying to fix a hacked server. My primary website has an issue with re-directing folks to various sites that I have no association with. Occasionally it will pop up with a website that states that “Your Computer Has a Virus, call the number on the screen”. Of course that site is complete bullshit and needs to be totally ignored.

This morning I killed the port forwarding to that server completely so I can study it without it being re-infected. So here is what I do know.

  • The redirect will happen once or twice and then for several hours the site will work fine for me, so it is obviously putting some sort of cookie onto my machine.or caching my IP address.
  • This doesn’t just affect my WordPress sites, even my Revive adserver is affected, so it may be located in Apache somewhere.
  • I have found an infection in one of my demo sites inside the Twenty Fourteen Theme, so I replaced that theme on all my sites.
  • I also found that the Jetpack Plugin was being infected so I over-wrote and replaced all the files in it on all the sites.
  • However it appears that if any one of the affected sites get a hit before I can clean all of them that the infection jumps from one site to the next.
  • I am also seeing the following line in my Apache error log pointing to a site that isn’t even active:  script ‘/var/www/freewp/yfwp2/wp-content/themes/twentyfourteen/hostdata4.php’ not found or unable to stat, that file is not part of the Theme at all so I suspect that is a hacker at work.
  • In the same folder as about when I took a peek into the wp-content folder I saw a boatload of items that simply did not belong in the root folder for content so I wiped that entire WP install an uploaded a fresh copy.
  • I am leaning towards the conclusion that the issue may be in Linux itself and I have already checked it for rootkits but I will do a few other scans today.

That is all I have for right now, perhaps if someone has a clue they could leave a comment and point me in the right direction? (make sure to hit the rechaptcha button before submitting and do not leave any URL in the comment)

Update 10-10-17: So far during testing tonight I have not gotten the URL redirect on this site. I have no clue if it is fixed, but my guess is no.

Advertisement


Tim

--------------------------------------------------------------------------------------
This site currently runs on either a Chuwi HiBook tablet or occasionally my Chuwi Hi12 tablet. Check the About page for details. Registration without participation will result in termination.

Advertisement


Leave a Reply

Your email address will not be published.