Issue Files deleted from site

[Dimitra]

Server operating system version

AlmaLinux 8.8 (Sapphire Caracal)

Plesk version and microupdate number

Obsidian - Version 18.0.52

Hello,
We are facing a strange issue with a wordpress website.
Three weeks ago, we updated the theme and some wordpress plugins. About a week after that, the wp-content/themes folder completely disappeared and as a result the site's styling broke. We managed to fix it by recovering the themes folder from an older backup.
We have been looking for the reason why this happened as we are afraid it might happen again.

One assumption we have, is that the themes folder had multiple copies of a subfolder with slightly different names, eg main-theme, !main-theme, #main-theme etc. It was left like this from a test we run. So, maybe the Mod Security of the ImunifyAV found the subfolders strange and deleted the whole themse folder. I don't know if that is possible or reasonable though.

We have scanned the site with ImunifyAV and it is clean.

We are the only ones with access to Plesk and the files are nowhere to be found, not even in the trash folder.

We have checked the ImunifyAV settings and it is not configured to delete files. Also, the Imunify360 is not active, it asks a paid license. Mod Security has no right no delete files.

Does anyone have any idea as to what may be happening? We have been stucked and don't know how to proceed to solve this problem.

Thank you in advance.

 

[Peter Debik]

So, maybe the Mod Security of the ImunifyAV found the subfolders strange and deleted the whole themse folder. I don't know if that is possible or reasonable though.

No, they don't delete files or folders. The paid ImunifyAV 360 extension could move files into quarantine, but normally this requires user interaction. ModSecurity does not touch files at all.

Does anyone have any idea as to what may be happening? We have been stucked and don't know how to proceed to solve this problem.

A user has deleted the directory or a function in a script/plugin/theme has done it. Maybe an automatic updated failed? Maybe that removed the former theme version but then failed to install the latest? You could try to enable "Debug" mode in Wordpress and then wait until the next time this happens. Maybe logging will reveal more details then.

 

[Dimitra]

Hi Peter,
Thank you for your quick reply.
There are no plugins in auto-update and the update happened many days before the problem. Is there a possibility this is some sort of hacking and Imunify is unable to find it?
I''d prefer to avoid enabling Debug as this is a production site.

 

[Peter Debik]

Everything is possible, but normally hackers try to abuse sites for phishing or sending spam. At least on production servers I know I have only seen two defacement hacks during the past ten years. Normally hacks are done for a reason, they don't just delete some directory for no reason as that would also make you aware that something is wrong, which hackers don't want you to see.

 

[Dimitra]

One more question. If a plugin/theme has deleted the files, would they be in the .trash folder?
Oh and something else we just found out. Inside the httpdocs of the site, there is a file time.php with just a date print:

$current_date = date('d/m/Y == H:i:s');
echo $current_date;

I see it was last mnodified the day the problems started. Could it be someting suspicious?

 

[Kaspar]

One more question. If a plugin/theme has deleted the files, would they be in the .trash folder?

If the files where deleted trough the Plesk File Manager, then yes. If files got deleted via a script or command line then no.

Oh and something else we just found out. Inside the httpdocs of the site, there is a file time.php with just a date print:

$current_date = date('d/m/Y == H:i:s');
echo $current_date;

I see it was last mnodified the day the problems started. Could it be someting suspicious?

The PHP code in it self doesn't look suspicious. It might be a bit suspicious that the file has been modified at the same time that all your other files got deleted. But at the same time doesn't prove anything.

 

[Dimitra]

So, after digging deeper into the logs, we found out the following.
1.There are some security mod rules triggered but the plugins/themes they are refering too don't exist in our installation. The triggers are:

• [1157760] [T0] [ModSecurity] failed to parse a modsec variable. while parsing: IM360 WAF: Possible Authenticated Privilege Escalation and Post deletion in Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 for WordPress (CVE-2022-1654)||T:LITESPEED||MV:%{ARGS}||
• [1157760] [T0] [ModSecurity] failed to parse a modsec variable. while parsing: IM360 WAF: WordPress WP Private Content Plus plugin - unauthenticated options change (CVE-2019-15816)||T:LITESPEED||REMOTE_ADDR=%{REMOTE_ADDR}||page=%{ARGS.page}||class method=save_%{ARGS.wppcp_tab}
• [1157760] [T0] [ModSecurity] failed to parse a modsec variable. while parsing: IM360 WAF: WordPress Merge + Minify + Refresh < 1.10.7 Authenticated Arbitrary File Delete||T:LITESPEED||F:%{ARGS.purge}||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||

We also noticed the server restarted on its own. The logs write:
[153487] [T0] [153487] Server Restart Request via Signal...
[153487] [T0] Forked [1157694] for graceful restart.
[1157760] [T0] Apache configuration file has changed, restart gracefully to apply the change...

Tha above pattern occured on 7/8, 15/8, 18/8 25/8 and 26/8 - these are the days the site stopped working.

 

[Dimitra]

Hello again,
The problem occured again after a few days, deleting different files than before.

The error log writes:

• 2023-09-13 17:09:24.449414 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_domain.com:443:MODSEC] mod_security rule [id "77350212"] at [/etc/httpd/conf/modsecurity.d/rules/custom/007_i360_4_wordpress.conf:2721] triggered!
• [Wed Sep 13 17:09:24.447126 2023] [error] [client 185.220.101.10] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_FILENAME' '\/[\.#]?wp-config[\.-][\w\._-]*(?:[#~]|(?:inc|txt|tar|xml|zip|bak|old|orig(?:inal)?|save|\d|sw(?|o)))$'] [id "77350212"] [msg "IM360 WAF: Information Disclosure Attempt in WordPress||MV:/wp-config.inc||T:LITESPEED||REQUEST_URI:/wp-config.inc||"] [severity "CRITICAL"] [tag "wp_core"] [hostname "domain.com"] [uri "/wp-config.inc"]
• 2023-09-13 17:09:24.449440 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_domain.com:443] Content len: 0, Request line: 'GET /wp-config.inc HTTP/1.1'
• 2023-09-13 17:09:24.449445 [INFO] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_domain.com:443] Cookie len: 139, mailchimp_landing_site=https%3A%2F%2Fdomain.com
• 2023-09-13 17:09:24.449448 [NOTICE] [2651111] [T4] [185.220.101.10:15646:HTTP2-1#APVH_domain.com:443] Redirect: #1, URL: /index.php

We looked up the ip 185.220.101.10 and it seems to belong to a company in Germany. We found two more sets of teh above errors from different ips, all belonging to the same company.
So, these errors appear three times within 10 seconds, each time hitting to a different wp-config, and then the Fatal errors about missing files occur.
We suppose it is some attack that managed to success and somehow got access to our file system.

What is more, we noticed there are a lot root folders with 777 permissions.
These folders are: boot, lib, lost+found, mnt, opt, share, tmp (it has 1777), usr, vendor (this seems to be a magento folder, maybe it was created there by accident).
All these folders contents are also 777.

Isn't this strange? Should all these folders be 777?

 

[Peter Debik]

boot: 0555
lib: 0777
lost+found: 0700
mnt: 0755
opt: 0755
share: arbitrary
tmp: 1777
usr: 0755
vendor: arbitrary

ModSecurity violations: Nothing special, just very common. Sure it can be an attack attempt, but these happen in the hundreds on websites daily. The IP address is a TOR exit node, so some anonymous surfer is addressing your website. But again: Just some very usual behavior seen everyday everywhere.

 

[Dimitra]

Hi Peter, thank you for your quick reply.
Is there a page we can find the correct permissions for the subfolders and files too? Because it's also all the subfolders and files that have 777 permisisons.
Thanks.

 

[Peter Debik]

Maybe that would be a question for Stackoverflow or Serverfault forums.

 

[Dimitra]

I'll try asking there.
Thank you very much!