Issue hacked wordpess got root:root files in his account. is it cleanable ?

[orenk]

a customer of mine just used a hacked plugin, and got his website hacked... His problem...
but.
in his storage, I found very disturbing things.. Many files with root:root access... and not normal PHP files.
take a look at the pictures.

Any Suggestions ?
I Think the server is totally hacked.
unless you think this is normal for user to have such access. (bash with root access)

 

[uniauto]

bin, dev, etc, lib, lib64, tmp, usr, var folders may be created by Plesk when the FTP user have shell access.
So this files are normal.

Folder /bin /usr /var etc. created within domain folder
Strange folders in FTP?

 

[orenk]

SSH to the server, and then I type
# su <hacked username>
and then
# groups
I get 'root' in the group lists... it means the user somehow got a root permissions... or something...

Anyway, I think a wordpress instance, should not have the ability to create links to those files (assuming those are links) it probably runs shell scripts through PHP.
Server image restored from backup, but this case I got right away... what about other cases that we dont have control ?
I can make a script that run every few minutes to checks all users permissions and groups. but maybe PLESK Security Team should worry about that too ..

 

[uniauto]

# groups <domain ftp user>
I dont get 'root' on any user from my server.

Can you check without su?
# groups <hacked username>

 

[orenk]

Thanks for the idea...
The hacked account it didn't got into root or any suspicious groups, its group list is normal as any other account.
somehow it linked some system libraries into the accounts' folder, without any SSH access or access to PLESK panel. only through WORDPRESS. that is still anoying.

 

[sebgonzes]

Can be normal binary files if you use cloudlinux for example...

 

[Bitpalast]

For the future, I suggest to add this line to "additional configuration directives" of PHP:

disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen

Else PHP is able to execute system commands, even if SSH permission is not granted. It can be possible to hijack the whole server through a PHP script when the script gains access to system level commands.

 

[sebgonzes]

For the future, I suggest to add this line to "additional configuration directives" of PHP:

disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen

Else PHP is able to execute system commands, even if SSH permission is not granted. It can be possible to hijack the whole server through a PHP script when the script gains access to system level commands.

I am absolutely agree with this, it's always the first thing that we do.

 

[orenk]

For the future, I suggest to add this line to "additional configuration directives" of PHP:

disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen

Else PHP is able to execute system commands, even if SSH permission is not granted. It can be possible to hijack the whole server through a PHP script when the script gains access to system level commands.

Maybe this should be added as default, at installation time.

Do you have any more tips/guides to secure plesk servers ?

 

[Bitpalast]

Do you have any more tips/guides to secure plesk servers ?

Something many people don't do, but which is absolutely essential, is to remove the execution permissions from your server wide /tmp path or partition. For example when /tmp is a separate partition, edit /etc/fstab, change

/dev/sda3 /tmp ext4 defaults 0 0

to

/dev/sda3 /tmp ext4 defaults,nodev,nosuid,noexec 0 0

where "/dev/sda3" ist just one possible location (example) of the /tmp partition. It might be a different device on your system. Edit the correct entry using the correct device name that applies to your system.