Finding an active PHP attacker / hacker on a cPanel shared server with many subdomains

Background

cPanel has this lovely feature where you can use one site and then create many more sites below public_html.

This is all fine and dandy until one of those sites get compromised and the entire directory structure and each and every site is suddenly infested.

Description

• cPanel
• Multiple domains
• WordPress installed on at least 4 working domains and at least 3 non working domains
• WP Bakery 6.7
  • https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/js_composer-2/wpbakery-77-authenticated-author-local-file-inclusion
• Revolution Slider older version

Retrospectively our analysis showed that both WP Bakery or revolution slider being out of date could have been the cause, but as it is with these things, it’s almost impossible to tell.

Here’s the cinch: None of the websites had protection such as WordFence and Sucuri. We used WP Toolkit to install both on all the sites and had to quickly license it.

The situation was pretty bad. Even after removing a few files manually, we ended up with these file counts:

• Site 1 = 70
• Site 2 = 58
• Site 3 = 66
• Site 4 = 73

The problem in this situation is that any of those 70 files could be a back door.

Here are other hallmarks of the attacker.

They managed to traverse the directories and set some key locations to 555. A big clue a week before the attack was that the user’s email disk space quota was apparently depleted, but it was just a permissions issue (caused by the attacker)./

The attacker also manage to quickly overwrite files. As we deleted .htaccess file (100s), we noticed that some key files quickly came back, including index.php files.

Files:

The attacker leaves these 0 byte files behind to test their access:

• admin.php
• license.txt
• paypal.gif

By observing the dates on the files you can see if there is still an active attack.

The Breakthrough

The most important job is to see if there is an active attack and the most import command follows:

ps aux | grep php | grep username

The output that needs your attention is:

/opt/cpanel/ea-php83/root/usr/bin/php-cgi /home/username/public_html/sitename/wp-includes/3bcbcac

/opt/cpanel/ea-php83/root/usr/bin/php-cgi /home/username/public_html/sitename/wp-includes/a26f39

There will be many more. We only found out these paths because we noted current error_log files being written, as usual with a bad actor, many error about chmod.

Tools to use

Midnight commander has an unsorted reverse direction sort. You can also use modified reverse.

Stock the attacker temporary so, till you sort out the back door files (e.g. .htaccess and index.php in each site).

pkill -u username php

Block their access using root.

Good luck or contact me and my team if this happens to you: +27 82 309-6710.