command line to search files with string and save output to file

f33dm3bits

Gold Member
Gold Supporter
Credits
24,128
Those .htaccess files you found are put their by the install of the plugin wordfence, it put them there for a reason.
 


captain-sensible

Well-Known Member
Credits
14,108
IN CodeIgnier4 .htaccess is in public and a couple of other locations ; say if you had 100 plugins for W.P and each had one .htaccess that would be only 100 occurrence.

I would only expect one .htaccess file in a W.P install though ! i have a plugin for Wordpress.org and i never saw any mention of using .htaccess when looking at writing specs/requirements for plugins.

i'm thinking either something is up or we are using grep wrong.

I can at some point tell you about the structure of how W.P is coded compared to OOP and its security short fall[ that might have to be a new thread ] But let me just say this ;a new W.P install without appropriate plugin will easily divulge admin user login name
 
Last edited:

satimis

Member
Credits
557
Hi all,

I'm still looking around for the cause of unable to add new plugin. So far I only found two websites out of 40 without such a problem. Before the attack of the suspected malware lock360.php all my websites were working without problem.

Although I can add new plugin via File Manager on cPanel. Also I have cloned sites running on local network and they are NOT open to public. In the worst case I just delete all problematic websites on the cPanel of my hosting company and clone new websites from the local network on the cPanel.

However I'm interested to find out the cause for learning.

Regards
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,128
Restore a backup from a time before the websites were attacked, then update wordpress and all the plugins on all of them. That's what backups are for, to restore to broken system, website or application to a time when they were working correctly.
 

satimis

Member
Credits
557
Restore a backup from a time before the websites were attacked, then update wordpress and all the plugins on all of them. That's what backups are for, to restore to broken system, website or application to a time when they were working correctly.
Hi

My hosting company only allows 2 backups stored on their server. I have more than 40 websites. Their backups were download to local networks. I don't worry the websites. I have triple securities for all of them;
1) I have their backups download to local PC
2) I have their duplicator migration packages download to local PC
3) I have their cloned sites running on local network without problem.

I'm curious to find out the cause of the problem. It is a chance for me to learn. Now I found 5 websites are without the problem of running Plugin -> Add New. Why? The rest websites are running on Internet without problem and I can login to admin except unable to install new plugin. Should I need adding new plugin I can install it directly via cPanel File Manager. It is not a problem to me.

Frequently I run following command line on cPanel Terminal checking the suspected malware lock360.php;
find ./ -type f -name "lock360.php"

To delete them
find ./ -type f -name "lock360.php" -delete

I have sent lock360.php file to wordfence security as per their request. They also need to find out why their software couldn't detect it.

In fact the back end of all security software are Linux command lines

Have a nice week end !!!

Regards
 

satimis

Member
Credits
557
Hi all,

Problem solved.

Most websites are in the public_html folder. A .htaccess is in this folder with following content;
<FilesMatch '.(php|php5|phtml)$'>
Order allow,deny
Deny from all
</FilesMatch>

<FilesMatch '^(index.php|auto_seo.php|wp-blog-header.php|wp-config-sample.php|wp-links-opml.php|wp-login.php|wp-settings.php|
....
....
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

I just comment out;
<FilesMatch '.(php|php5|phtml)$'>
#Order allow,deny
#Deny from all

</FilesMatch>

then problem solved. I think the lines were added by the malware.

Lot of thank for your assistance

Have a nice Sunday

Regards
 

f33dm3bits

Gold Member
Gold Supporter
Credits
24,128
Turn the auto-update on for your wordpress websites and the plugins if you haven't already.
 

satimis

Member
Credits
557
Hi KGIII,

I already have WordFence Plugin installed. WordFence couldn't detect the suspected malware lock360.php and it has hidden in my cPanel, continue to replicate. I have to running Linux command lines to detect and to delete it. WordFence requested me to send them lock360.php file and I did 2 days ago. But up to the time of writing they haven't replied me.

I expect to clean the cPanel myself. Please see the screenshot of #ls printout
(screenshot_ls_printout_on_terminal.png)

My hosting comany is full aware of this case. They didn't help me out, only asking me to contact SiteGround Security for help. They said that they are only hosting company, not security company. I have retained 3 days email communication with them.

I have cloned sites running on VMs. I'll try to experience ClamAV on VM. I would clone multiple VMs for the test. It is very safe for me here. I have all websites (>40 sites) installed on the VMs of 3 PCs here.

Please provide me some advice on communicating my hosting company in re ClamAV. ClamAV is completely new to me. Beside on Google search I found many ClamAV alternatives, such as Lynis, Zeus, BitDefender, Quick Heal etc. I'll check whether any of them installed on the server of my hosting company.

Please help. Thanks
screenshot_ls_printout_on_terminal.png

Besides can I run WP Cerber additional to Wordfence ?

Regards
 
Last edited:

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
25,824
Yeah, you can use Cerber in addition to WordFence. Both are really only good at preventing - and NOTHING is 100% secure, making backups very important. It's also possible that someone else on your shared hosting is infected and your hosting company isn't very good at their jobs.

Anyhow, send me a copy of the file - if you want. DO NOT SEND IT UNCOMPRESSED! Send me lock360.php to admin *at* linux-tips.us and I'll take a look at it. Be sure to compress it. I won't get time to look at it tonight, but I'll see what time I can free up tomorrow.

See also the longer answer here:


And, you don't have any backups you can push out? It's cPanel, so you might have Softaculous backups or you may have JetBackup?
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
25,824

satimis

Member
Credits
557
Yeah, you can use Cerber in addition to WordFence. Both are really only good at preventing - and NOTHING is 100% secure, making backups very important. It's also possible that someone else on your shared hosting is infected and your hosting company isn't very good at their jobs.
Let me tell you a short story of my websites. All my websites have been running in the server of my previous hosting company, say old_h_com, without problem for several years and some of the websites even running >10 years. I just changed to this new hosting, say new_h_com, about 3 months ago. The cause of this change is NOT cost. It is because the old_h_com is not experienced on WordPress sites.

After this change of hosting company my nightmare began. 3 websites were hacked unable login to admin. The hacker left a message on their HOME page, saying this site controlled by so-and-so. Nothing has been changed on their contents. They were still running without problem on Internet. I just removed them and cloned their new website from local server. However my nightmare doesn't not come to end. All my websites are continue to be hacked almost 24 hours daily.

Anyhow, send me a copy of the file - if you want. DO NOT SEND IT UNCOMPRESSED! Send me lock360.php to admin *at* linux-tips.us and I'll take a look at it. Be sure to compress it. I won't get time to look at it tonight, but I'll see what time I can free up tomorrow.
OK, I haven't compressed it. It is a small .php file of size 16.6kB. The file has been sent.

See also the longer answer here:

I'll go through it later. Thanks

And, you don't have any backups you can push out? It's cPanel, so you might have Softaculous backups or you may have JetBackup?
I have backups and Duplicator Migration packages of all websites download to PC, local network. Also I found Softaculous on cPanel (pls see screenshot - screenshot_softaculous_backups.png attached). I suppose they are automatically created by the server of my new_h_com.

My questions:
1) Do I need to download all of them to local PC? Or only the backup of the latest days?
2) After download, can I delele all old backup leaving only the backups of latest days
Please advise. Thanks

Regards
 

Attachments

satimis

Member
Credits
557
See also:


You may need to translate it.
Thanks

My Spanish is not good.

Este archivo se instala junto a los archivos de tu web y a traves de el se obtiene acceso a todos los archivos. Creando y moditicando a su antojo

This file is installed together with the files on your website and through it you get access to all files. Creating and modifying are at will.

Anyway I'll visit the site -
Lock360.php | Tu web a sido HACKEADA
Lock360.php | Your website has been HACKED
flejedecosas (dot) com/lock360-php-tu-web-a-sido-hackeada/

trying to understand its content
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
25,824
The reason for compressing it isn't the size, but so that I actually get the attachment. I'll retrieve it from the server and take a look at it.

An automatic translator, such as deepl.com, should be good enough to translate the page that's in Spanish.
 

satimis

Member
Credits
557
The reason for compressing it isn't the size, but so that I actually get the attachment. I'll retrieve it from the server and take a look at it.

An automatic translator, such as deepl.com, should be good enough to translate the page that's in Spanish.
Hi HGIII,

Please share your findings on the suspected malware file "lock360.php" Thanks

deepl.com is a good translator. But I haven't find how to use it translating the complete Spanish website. I couldn't translate the Spanish words on tabs, images etc. I have to type them on deepl.com to translate

Regards
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
25,824
Oh, yeah, the server appears to have eaten it - probably because it thinks it's malware. That's why you should compress it, so you can make it through my email system. I was unable to find it anywhere, including in the quarantined folder.
 

satimis

Member
Credits
557
Oh, yeah, the server appears to have eaten it - probably because it thinks it's malware. That's why you should compress it, so you can make it through my email system. I was unable to find it anywhere, including in the quarantined folder.
Oh sorry. I'll compressed the file and resend it to you. Please advise;
1) will .zip work?
2) your email address

Thanks

Regards
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online

Members online


Top