0

I have installed a Wordpress site and a phpBB3 forum in the same hosting (site in root and phpBB3 in a folder). Since yesterday, it works very slow. I detected some extrange and new files, and I suppose that somebody hacked my Wp and phpBB. I reinstalled phpBB and now works well. I have pending to reinstall Wordpress.

I can see in /var/logs/httpd/error_log the next message repeated every second: sh: /usr/sbin/sendmail: No such file or directory

How can I know what file is trying to send an email? How can I check for hacked files?

Thank you very much!

aaubets
  • 21
  • 2

1 Answers1

1

I would really recommend you to set your server up anew and change all your passwords, that's the safest route you can take. The password change is absolutely mandatory, don't use the same passwords on the new system.

I really advise against using the compromised system, since you can never be sure if you really managed to completely sanitize your system. If you still want to try it here's what I can say about your situation:

Apparently your Apache Webserver has been compromised, and it's extremely probable that the attacker used either WordPress or phpbb, especially WordPress has been known to be a large attack vector. Now your webserver is executing at least one PHP script the attacker injected, which tries to "phone home" via sendmail, which apparently isn't installed, this is what saved you so far. If your server has been configured correctly, Apache and therefore the PHP script can't access or modify anything significant outside of /var/www or whatever directory you use to store your webpages, so there is a really slight possibility that nothing outside of that folder got compromised. I wouldn't bet on it.

As to catching that script: You can try to set LogLevel debug in you httpd.conf, but PHP has been known for its rather lacking logging capabilities. There's also a possibility that you already deleted the script when you removed the unknown files and that a restart will remove the malicious code. But it can also be that the attacker injected another hidden script that redownloads the files once the service gets restarted if they are missing.

Long story short: Be safe, reinstall the server, change all the passwords and keys and check installed WordPress/phpbb plugins/mods for known vulnerabilities to prevent reinfection.

Metalfreak
  • 26
  • 2
  • Thank you very much! It seems that you say. I'm sure that i have to reinstall the server, but it has a lot of services and things to install and configure and in this moment I don't have time and want to know if some 'easy & provisionally' solution. – aaubets Oct 26 '15 at 09:48
  • Well, the only quick and dirty provisional solution I can thin of is assuming that only your Web applications have been infected. So you can try to save all data from WordPress/phpbb, delete everything from their folder and maybe even everything from any folder the user www has write permission to and reinstall WordPress/phpbb afterwards. You have to assume with this approach that the attacker couldn't infect anything outside of it and that your data remains clean and uninfected. Also change all your passwords and change all your ssh keys present on the system. But I would still recommend you – Metalfreak Oct 26 '15 at 12:45
  • To reinstall the whole server – Metalfreak Oct 26 '15 at 12:45
  • Thank you very much! I do it with phpbb, and "disable" wordpress (a die(); in the first line of index) but system continue working bad in other applications I use (phpmyadmin, codiad, ...). I think that, how you say, I have to reinstall the whole server :( – aaubets Oct 26 '15 at 14:13