Portal Home > Knowledgebase > Articles Database > My Server Seems to be Infected with a Trojan


My Server Seems to be Infected with a Trojan




Posted by jaypabs, 04-05-2016, 01:45 AM
Hi, After several days of figuring out what's happening on my server and can't fix it on my own, I decided to write here and ask some expert advice. Here's some report of other website that my IP Address is attempting to bruteforce their admin password (WordPress site). Note: I changed my actual IP Address to 192.168.1.1 to hide my IP from public. And also last April 1, Yahoo, Gmail and other mail server don't want to accept my automated email as an automatic reply to the member who registered to my site. Here's the reason I see: Note: Again I changed my IP address in this line "accepted from 192.168.1.1" to hide my real IP. Here's a report from abuseipdb.com: So my question now is on how I can detect the trojan or malicious code that is hiding on my server or may be on the plugin of one of my website. Is there any code that detects what script or application that is running on my server that sends outgoing traffic to other website? I have around 10 active website running on my server. Thank you very much in advance for any help

Posted by victor_y, 04-05-2016, 02:23 AM
One of our admins recommended this software: https://www.rfxn.com/projects/linux-malware-detect/. Additionally, I also found out this one: https://cisofy.com/changelog/lynis/2.2.0/. Both of these will check for rootkits, malware and trojans on your server. If your sever is managed, you can also ask your provider for help.

Posted by net, 04-05-2016, 08:10 AM
Moved > Hosting Security and Technology.

Posted by NetworkPanda, 04-05-2016, 09:35 AM
As a first step, you can use iptables to block all outgoing requests from your server to wp-login.php pages of other web sites: (if using CSF, you must add this command to the /etc/csf/csfpost.sh file and restart CSF, else the iptables rule will be lost each time you restart CSF) This will not affect the WordPress logins on sites on your server, they will continue working normally. It will only stop WordPress brute force attacks from your server against other servers. Then, you will need to run a full scan on the server with Linux Malware Detect ( https://www.rfxn.com/projects/linux-malware-detect/ ) and ClamAV. CXS and rkhunter are also highly recommended. Last edited by NetworkPanda; 04-05-2016 at 09:46 AM.

Posted by Srv24x7, 04-05-2016, 11:06 AM
Hi, You can use the following application to check for this: 1. Maldet. 2. Clamscan. 3. RKhunter. 4. Chkrootkit. Scan your server with these 4 to start with and check what in there.. For Example: maldet -a /home/ --> to scan complete /home i..e, user contents will be scanned.

Posted by WeWatch, 04-06-2016, 10:24 AM
Typically we see files like: .sd0, bruteforce.so, .cache, .cached_sess or some other compiled filename that begins with a dot. So you could: grep . -name ".*" That will show a lot of false positives, but also show you any files that might be attacking other sites. If you find one of these, it will be accompanied by a .php file with this in it: You might also have various "host" processes running that you'll have to kill as well. This is just a possibility.

Posted by HostingBig, 04-06-2016, 12:42 PM
Found one of these yesterday on a exploited/hacked word press site 1. Maldet. 2. Clamscan. 3. RKhunter. 4. Chkrootkit. were all useless at finding it nor was it using /usr/bin/host process you can use tcpdump netstat, & lsof to find it we found it using netstat looked at all the outbound http processes and matched it with the corresponding inbound http processes. Then with lsof verified it Banned the the botnet controlling ip range and sent notice to client Note: the attack has to be happening for you to find it the iptables fix will work as well but its just a band-aid as the infected site will still be infected

Posted by WeWatch, 04-06-2016, 01:29 PM
Nicely done HostingBig! There are many, many variations and methods. Your process is one more to add to everyone's bag of tricks at finding these rogue processes.

Posted by brianoz, 04-07-2016, 04:16 AM
Another really useful tool for finding these things as well as "find . -name '.*'" is this: ps -efH | less Because it shows the relationship between processes it makes many hacker processes much more obvious.

Posted by brianoz, 04-07-2016, 04:47 AM
Note - the above trick is only one of many for your grab bag, as mentioned previously

Posted by Bitpalace, 04-07-2016, 05:12 AM
There won't be any hacker processes on the server. The symptoms that the poster described are two different issues: a) The wp-login.php symptom is a typical brute force attack scheme on Wordpress installations. This is highly common and has nothing do with any malicious software on the machine or the web space. It's simply external sources trying to guess the correct login user name / password combination. To stop these attacks, fail2ban is a great tool as there are many good wordpress brute force attack filters for it. Another good tool to install directly as a Wordpress plugin is "All in One WP Security & Firewall". b) The server is listed on blacklists because it has been sending out spam. This can, but it does not have to be the result of a succesful break-in attempt into a website. It is not said that the mails are coming from a Wordpress installation. If the users shares the host with other websites, it could equally well be the result of another users's spam. To find out whether the own installation is infected, watch out for files with awkward names like fca4698dbc29.php in your file structure on the server and scripts (file contents) or portions of them that look encrypted (e.g. a long, long, long chain of digits and characters that do not reveal what they are meant for upon first impression).

Posted by khunj, 04-07-2016, 12:03 PM
Check your mail logs, that will show you when the spam messages were sent. Then you could check the timestamps and compare it with files that may have been added (or modified) in your sites. -Check your mail queue too, there may be some of those spam emails still in the queue and their headers could have some important info such as the user/group of the sender or even the X-PHP-Originating-Script path to the PHP script that was used to send them (assuming a PHP script was used).

Posted by WeWatch, 04-07-2016, 04:59 PM
From the OP: It's the OP's server that is trying to brute force other sites with WordPress on them. The OP could run:This will show what domain and possibly what files are being used to send the spam. Also check the access-logs for POSTs from various IP addresses to files that aren't part of WordPress.

Posted by jaypabs, 04-07-2016, 11:47 PM
Thank you very much for the suggestion.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Server Drive issues ? (Views: 313)
Server Always Loaded (Views: 290)