3

My website was hacked last year and someone had uploaded a script which was hogging up all CPU and load avg went up to 30+ till our hosting provider temporally suspended the account, that was a few days after installing WordPress (I didn't know PHP is so vulnerable to hacking). I had to disable many options in php.ini and after that there was no problem with my site for over 300 days.

But since the last few weeks someone is again trying to defame the site. He is constantly uploading malware to my site. But the worst part is the malware is not always there, it is only detected by Google Webmaster that too once in few days. I removed WordPress, now it's all static HTML (as I feel PHP is not that secure) and still the hacker is able to inject malware once in a few days for few hours only.

A page gets blocked by Google Webmaster and no other pages are touched. I changed all my HTML and CGI files to a different permission. Apache cannot write on any of the folders now, removed all PHP scripts last week and I thought that should safeguard my website from future attacks.

But this morning, when I visited Google Webmaster, I was surprised to see a warning of my website having malware! And that too in an "apk" file this time.

Question:

So my question is, how on earth someone is able to upload a malware which gets downloaded automatically when an APK is accessed! Even when there is no permission for him to write to that directory!

I have been programming for the last 10 years and this is beyond me. Nothing in the Apache logs, nothing in any folder. The file modification search also shows nothing is touched since the last 10 days and yet the hacker manages to allow a malware to be downloaded along with my apk and that too only for few hours (So he puts something there and comes back to remove it?)

And my website is not even that popular, don't know why the hacker is wasting his time and mine in being so aggressive, but he does seem highly motivated as he is doing this consistently since the last 2 months.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47

1 Answers1

4

how on earth someone is able to upload a malware which gets downloaded automatically when an APK is accessed! Even when there is no permission for him to write to that directory!

The files might not be served from the directory you think at all but might be hidden somewhere else. This can be done by either changing the configuration of apache or some other files on the system or by injecting code into the apache process itself. For more details read about Darkleech or apache binaries with backdoors or recent attacks against wordpress sites.

And my website is not even that popular, don't know why the hacker is wasting his time and mine in being so aggressive, but he does seem highly motivated as he is doing this consistently since the last 2 months.

Attackers are always looking for sites which are not blacklisted by anti-malware solutions. It does not matter how popular they are because they are usually just one step inside a phishing or malvertising campaign, that is the user gets directed there by the attacker.

Apache cannot write on any of the folders now, removed all PHP scripts last week and I thought that should safeguard my website from future attacks.

I suggest that you reinstall the whole system and make sure that the usual attack vectors are closed (i.e. weak passwords, insecure wordpress installations etc). It looks like the attacker has compromised your system more deeply than you might think.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    Thanks Steffen Ullrich for your quick response. It gave a good direction as to where to start looking for. Its scary to what degree these hackers are entering into our systems. I have reinstalled my apache. Will check it for few more days and if i get the same warning from google webmaster again then i have no option but to reinstall the whole CentOS. – Srihari Karanth Sep 30 '15 at 06:48
  • 5
    @SrihariKaranth: Since you've only reinstalled the apache I'm pretty sure that the attackers have still access to your system. – Steffen Ullrich Sep 30 '15 at 06:53
  • You should really follow Steffen Ullrich advice to [reinstall the whole system](https://security.stackexchange.com/q/24195/57086). – Anonymous Coward Sep 30 '15 at 08:59
  • 1
    @SrihariKaranth Another thing worth mentioning is that whenever you use a CMS like Wordpress, it's *very* important to keep it up to date (both Wordpress itself and especially all themes/plugins). Any time a vulnerability is found, announced, and patched, attackers will start running automated scans of WP sites on the Internet looking for ones that haven't been updated (and thus are still exploitable). Many WP sites are hacked not because of anything inherently insecure about WP/PHP, but because they were not kept up to date. – tlng05 Sep 30 '15 at 13:35
  • I agree Steffen and tlng05. I just wanted to nail down on the problem. After reinstalling Apache I haven't seen any malware detected by Google Webmaster in last 10 days. Will clean up container in few days anyway. But its good to know that uninstalling and installing Apache and removing unnecessary modules solves the problem (atleast in my case it did). – Srihari Karanth Oct 09 '15 at 07:21