0

I manage an Ubuntu server that runs a number of WordPress sites. This morning one of them went down and was showing the exception

PHP Fatal error:  Namespace declaration statement has to be the very first statement or after any declare call in the script in /var/www/vhosts/new.wearesno.com/httpdocs/wp-content/plugins/w3-total-cache/Cache_File_Generic.php

I went and had a look in that file using nano in the terminal and it looked normal - with the namespace declaration straight after the opening <?php tag. However, when I downloaded the file to my Windows PC I could see that it contained this:

enter image description here

I then went and downloaded a backup of all the sites on the server and did a search for $GLOBALS;$ and found a large number of files containing similar content at the top of the file.

Presumably this is a shell of some sort that will allow an attacker remote access to the server. Does anybody recognise specifically what it is?

I'm hoping that because the sites are behind CloudFlare that the attacker doesn't know the actual IP address of the origin server and so if they are opening a socket on the server, the attacker doesn't know the IP to connect but I'm not 100% sure on this.

Open to any suggestions on how to best secure the server.

PiX06
  • 101
  • We can't do an analysis on random malicious code. Which leaves the question, "how can I secure the server?" But without knowing the vulnerability that was exploited, all we can do is guess. – schroeder Sep 03 '20 at 12:05

1 Answers1

0

I don't know what the script does specifically, you may be right, but its not unlikely that its connecting to a remote server and putting some malware, ads or something else into your websites, so dont assume you are in anyway protected by Cloudflare in this case.

Given you cannot know what has happened to your server, my approach in this case is normally burn everything, make a new server with the code out of your git repo. Obviously this depends on you having a copy of the code that isnt on this server. And a database backup - otherwise you are going to need to go line my line though your code, you can download fresh copies of wordpress and your plugins, themes. Basically dont trust anything on that server anymore.

IMHO, The best protection against these types of attack is to make all the code read only to your webserver user - so assuming you have a www-data user that is running apache or fpm, then make some other user, bob, the owner of all the files and give www-data read only access.

There are disadvantages with this approach, if you want to use the wordpress admin to do updates, install plugins, etc - but its easy enough to change the file owner for a short time, and change it back, or even better do all the updates on your computer, commit everything to git, and put it on the server using git.

Also make sure you are always running the latest version of wordpress and your plugins, also keep apache/nginx/fpm updated and other parts of your server.

mcfedr
  • 162
  • 4
  • Thanks - all good advice. I do have all the code in git etc. I don't really have the time to burn the server and recreate everything from scratch at the moment so will just have to keep a close eye on everything – PiX06 Sep 03 '20 at 12:24
  • 1
    A good thing when you have git as well is that you can run `git status` and see the changed files - but you have to hope that nothing else on your server have changed. I've seen servers where extra daemons are running, so unknown network traffic happening.. – mcfedr Sep 03 '20 at 17:31