command line to search files with string and save output to file



satimis

Member
Credits
557
Hi KGIII,

While waiting for your reply, today all my websites are attacked by a suspected malware th3_alpha.php , resulting in some of them not working, unable to browse on Internet. This suspected malware works in the same way as lock360.php before creating malicious .htaccess everywhere with similar content;
Deny from all

Finally I have to run following command lines on the cPanel Terminal of my hosting company to find it and delete it
# find ./ -type f -name "th3_alpha.php"

# find ./ -type f -name "th3_alpha.php" >> /tmp/th3_alpha.txt

# find ./ -type f -name "th3_alpha.php" -delete

This suspected malware works the same way as lock360.php creating malicious .htaccess on most of the folders under /public_html/ including installed plugins.

I have wordfence and WP Cerber installed, running on all my websites. But they couldn't filter it. It is very strange to me. How can it get into my /public_html/ ?

Regards
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
25,737
I went over the file you sent me and found it to be encoded - but not base64, except it claimed to be base64. So, I can't really be sure what it's doing.

What I would do in your position is delete everything first - as in everything. Leave nothing behind and then restore from clean backups with changed passwords for the database and FTP/cPanel. Then, if it's working, I'd install software to secure the site immediately after.

Leave not a single file on the server. Delete them all before restoring.
 

captain-sensible

Well-Known Member
Credits
14,057
y
Hi KGIII,

While waiting for your reply, today all my websites are attacked by a suspected malware th3_alpha.php , resulting in some of them not working, unable to browse on Internet. This suspected malware works in the same way as lock360.php before creating malicious .htaccess everywhere with similar content;
Deny from all

Finally I have to run following command lines on the cPanel Terminal of my hosting company to find it and delete it
# find ./ -type f -name "th3_alpha.php"

# find ./ -type f -name "th3_alpha.php" >> /tmp/th3_alpha.txt

# find ./ -type f -name "th3_alpha.php" -delete

This suspected malware works the same way as lock360.php creating malicious .htaccess on most of the folders under /public_html/ including installed plugins.

I have wordfence and WP Cerber installed, running on all my websites. But they couldn't filter it. It is very strange to me. How can it get into my /public_html/ ?

Regards
if you want to start a new thread. possibly in "off topic" entitled maybe "linux tools for White Hat testing of webs" -obviously that would then be able to include discussion of W.P then (with care) some of the vulnerabilities can be discussed. Specific code which i see no point in perpetuating hacking techniques could be restricted using this sites direct email system , so as to hide from the public.
users just joined who obviously haven't got a clue could be excluded .


But for instance i could log in to your site and poke around ; or things can be done from a url using simple "get" requests. functions.php is often a target.

I've got wordpress 5.8 running in localhost and for instance some of the tables where W.P stores things include including "wp_users" when i run from the command line
Code:
select * from wp_users
i can see one of the admin log user names , not even encrypted. I also know the way that I could get W.P to give me that log name using a tool , if the site does not have the right plugins in place, just using the url for the site.



The password for that user in the databse IS encrypted but that means nothing since hackers just use password lists. Thats an example of what could be discussed and then on the +ve steps that could be undertaken to stop attacks
 
Last edited:

satimis

Member
Credits
557
I went over the file you sent me and found it to be encoded - but not base64, except it claimed to be base64. So, I can't really be sure what it's doing.

What I would do in your position is delete everything first - as in everything. Leave nothing behind and then restore from clean backups with changed passwords for the database and FTP/cPanel. Then, if it's working, I'd install software to secure the site immediately after.

Leave not a single file on the server. Delete them all before restoring.
I solved the problem by running following commands on cPanel Terminal of the hosting company

# find ./ -type f -name "lock360.php" -delete

# find ./ -type f -name "th3_alpha.php" -delete

# find /public_html/website_folder/ -name "./htaccess" -delete

Now the problematic websites are working again without problem.

I won't restore their backups, worrying being contaminated. I have cloned sites of all my websites running on local network and they are not open to public. I would delete the problematic website and clone the local sites to the server of my hosting company. I have done that before without problem.

Regards
 
Last edited:

satimis

Member
Credits
557
y
if you want to start a new thread. possibly in "off topic" entitled maybe "linux tools for White Hat testing of webs" -obviously that would then be able to include discussion of W.P then (with care) some of the vulnerabilities can be discussed. Specific code which i see no point in perpetuating hacking techniques could be restricted using this sites direct email system , so as to hide from the public.
users just joined who obviously haven't got a clue could be excluded .

But for instance i could log in to your site and poke around ; or things can be done from a url using simple "get" requests. functions.php is often a target.

I've got wordpress 5.8 running in localhost and for instance some of the tables where W.P stores things include including "wp_users" when i run from the command line
Code:
select * from wp_users
i can see one of the admin log user names , not even encrypted. I also know the way that I could get W.P to give me that log name using a tool , if the site does not have the right plugins in place, just using the url for the site.

The password for that user in the databse IS encrypted but that means nothing since hackers just use password lists. Thats an example of what could be discussed and then on the +ve steps that could be undertaken to stop attacks
Hi captain-sensible,

Thanks for your detail explanation.

My websites have been attacked 3 times ever-since I started using the hosting service of my current hosting company, about 3 months ago. I have been using the service of my previous hosting company for more than 10 years without a single attack. What makes me to change the hosting company is NOT cost. It is because my old hosting company are not knowledgeable on WordPress websites and all my >40 websites are WordPress sites. I have taken a long consideration in making this change, NOT abruptly.

I think this is my WRONG decision.

Regards
 

captain-sensible

Well-Known Member
Credits
14,057
@satimis

i'm on shared hosting; its a Brazilian company and have been with them for quite some time there are downsides sometimes like language but they have been much more reliable than say A2 hosting . The only problems i ever had was when i was using WordPress for my webs ; in the Cpanel there are statistics for my information. In one case I exceeded my bandwidth quota- i said to them how can that happen ; my web isn't doing that much traffic. Their answer was " people just love to hack WordPress sites, so probably it was someone trying to hack your site. Either that or some web bot " .

Also they explained to me that if a web on shared hosting has security vulnerabilities then it has implications for the other users on the shared hosting.

All of my webs are now using CodeIgniter4 with a CMS system I wrote on top of it.
I've had zero problems so far.

The issue really is if your selling something , so for that i have to admit its hard to beat Wordpress and woo-commerce etc plugins. I did actually integrate paypal system into a web but i'm not even sure now how i coded the other elements of putting items picked by user into "session" and all that stuff before paypal restapi gets involved

As i say there are things that can be done .. but thats another thread maybe
 
Last edited:

satimis

Member
Credits
557
Hi captain-sensible,

All my websites are NOT for business. They are used sharing information amongst friends and acquaintances. All my websites are WordPress sites.

The most strange thing shocked me is that some of my websites having running in my previous hosting company for more than ten (10) years without a single attack on Internet. After changing the hosting company, 3 months ago, 3 of my websites were attacked, unable to login. After that all my websites are constantly attacked by malware.

What caused me to make this change of hosting company is NOT cost. It was because my then hosting company was not experienced on WordPress website

Regards
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top