Server Admin Advice / Security

miles · 2018-05-12 08:12:49

Hello TXP Community

Turning to you guys for advice as I know you will be able to help.

I have been using TXP for over 10 years now and I am pretty sure I wouldn’t have a website design business without it, especially if I was using Wordpress…

I recently as a agency we have taken on a few wordpress sites on our server which about a month ago got compromised and effected our whole server, injecting malware into TXP files and causing the sites to redirect to all sorts of interesting websites.

We have now moved all the wordpress, drupal, opencast sites to their own server and kept all the TXP sites separate. However it seems like we haven’t completely got rid of the virus as the index.php keeps getting edited.

My questions are:

A: Does anyone know of any good server admin companies that will help deal with hackings and help clean the server completely?

B: How can I improve the security of TXP further? Has anyone known of these issue before?

Sorry this is all new to me as I have never had this trouble before and it’s costed me so dearly in time over the last few months.

Thank you

jakob · 2018-05-12 10:36:25

Perhaps smd_prognostics can help you detect modifications to TXP files. I’m not sure what the state of play is with the most recent versions of Textpattern but it can notify you when Textpattern files have been modified.

Otherwise you should check all the usual candidates like:

resetting ftp passwords and ssh connections
resetting db passwords
Tighten too-lax file/folder permissions
Check for any hidden folders or files
Check all non-txp files for files and other files like config.php that may not be found by smd_prognostics or files that are smuggled into sub-directories somewhere.

If I look at the server logs there are ton of attempts to reach wordpress login pages and plugins, so I think it’s pretty commonplace.

Greetings to your lovely corner of the world. I spent several summers in my childhood in Cawsand/Kingsand and many a sunny afternoon on Whitsand Bay.

Bloke · 2018-05-12 13:58:42

Sorry to hear about the state of your server. It’s not a nice situation to be in.

One thing to watch is PHP files hidden in your /images directory. I’ve seen that before. The file even had a .jpg extension but could be run as the PHP script it was by using another script as a launchpad.

So once you’ve taken a backup and cleaned up your Textpattern installation (replace everything with a clean copy if you can) and removed all files/directories that are not part of the base installation, just comb your /files and /images directories for files that look suspicious – e.g. odd datestamps or filenames. Check each image is one that you’ve uploaded.

Finally, change all your passwords on the server.

One addendum to what jakob says about smd_prognostics: it’s only of use once you know you have a clean site – a “known good” baseline. So when your hosting area is cleaned up, by all means let the plugin take a snapshot of this state and then it’ll dutifully tell you if anything changes.

ax · 2018-05-12 15:41:39

One thing that you could check is the file permissions. It happened to me once that another user on the same shared server could overwrite my files because of global write ‘777’ directories. You can check if this is the case by using this shell command:

find . -perm 777 -type d | grep -v "/logs/" | head -50

If there are any ‘777’ directories, they will be listed. If not, then no output.

miles · 2018-05-15 17:40:43

Bloke wrote #311717:

Sorry to hear about the state of your server. It’s not a nice situation to be in.

One thing to watch is PHP files hidden in your /images directory. I’ve seen that before. The file even had a .jpg extension but could be run as the PHP script it was by using another script as a launchpad.

So once you’ve taken a backup and cleaned up your Textpattern installation (replace everything with a clean copy if you can) and removed all files/directories that are not part of the base installation, just comb your /files and /images directories for files that look suspicious – e.g. odd datestamps or filenames. Check each image is one that you’ve uploaded.

Finally, change all your passwords on the server.

One addendum to what jakob says about smd_prognostics: it’s only of use once you know you have a clean site – a “known good” baseline. So when your hosting area is cleaned up, by all means let the plugin take a snapshot of this state and then it’ll dutifully tell you if anything changes.

Thank you all so for much for your advice. Its been like constantly putting out a fire for the last few weeks however I feel I have a good hold on it now. Your advice about the files being disguised really helped Stef… my server was injected with “.ico” files the following command got rid of them:

find . -type f -name “*.ico”

ax wrote #311718:

One thing that you could check is the file permissions. It happened to me once that another user on the same shared server could overwrite my files because of global write ‘777’ directories. You can check if this is the case by using this shell command:

find . -perm 777 -type d | grep -v "/logs/" | head -50...

If there are any ‘777’ directories, they will be listed. If not, then no output.

Than you for this advice too, I think thats helped tighten the server further

jakob wrote #311714:

Perhaps smd_prognostics can help you detect modifications to TXP files. I’m not sure what the state of play is with the most recent versions of Textpattern but it can notify you when Textpattern files have been modified.

Otherwise you should check all the usual candidates like:

resetting ftp passwords and ssh connections

resetting db passwords

Tighten too-lax file/folder permissions

Check for any hidden folders or files

Check all non-txp files for files and other files like config.php that may not be found by smd_prognostics or files that are smuggled into sub-directories somewhere.

If I look at the server logs there are ton of attempts to reach wordpress login pages and plugins, so I think it’s pretty commonplace.

Greetings to your lovely corner of the world. I spent several summers in my childhood in Cawsand/Kingsand and many a sunny afternoon on Whitsand Bay.

Great plugin, going to spend sometime putting this on all the sites! Thank you

PS. Love Whitsand too, my favourite beach.

Last edited by miles (2018-05-15 17:41:42)

miles · 2018-05-15 17:53:00

I just want to add that I honestly don’t think I would have business without Textpattern, I don’t know how companies cope with the constant updates and security of Wordpress.

What makes Textpattern so secure?

gaekwad · 2018-05-15 18:51:02

Hey miles – greetings from about an hour north west of you!

If the server is compromised, it’s compromised. Nuke and repave. Find a new web hosting company if you need to. You can strip out the assets, user images, user files, and the database…then you’ve got a mostly-portable site you can take elsewhere with a known-good copy of Textpattern.

Take a copy of the site itself, strip out the big stuff that won’t be infected (images, etc), zip it up, and upload the zip to VirusTotal – see what crud it finds.

What makes Textpattern so secure?

It’s made by wizards.

Last edited by gaekwad (2018-05-15 19:16:16)

Algaris · 2018-05-16 07:32:57

If you’re still looking for a company to help clean up your server/sites you could try Wordfence They primarily deal with WordPress but should be able to help clean up the server any malicious code.

miles · 2018-05-19 07:29:04

gaekwad wrote #311788:

Hey miles – greetings from about an hour north west of you!

If the server is compromised, it’s compromised. Nuke and repave. Find a new web hosting company if you need to. You can strip out the assets, user images, user files, and the database…then you’ve got a mostly-portable site you can take elsewhere with a known-good copy of Textpattern.

Take a copy of the site itself, strip out the big stuff that won’t be infected (images, etc), zip it up, and upload the zip to VirusTotal – see what crud it finds.

It’s made by wizards.

Thank you mate, probably the most honest answer and that’s probably what I’m going to do and move servers. Am I missing something with VirusTotal though? It seems to only tell you what virus it is and not where?

gaekwad · 2018-05-19 19:32:18

miles wrote #311885:

Thank you mate, probably the most honest answer and that’s probably what I’m going to do and move servers. Am I missing something with VirusTotal though? It seems to only tell you what virus it is and not where?

You are correct. It’s a useful tool for find something in a .zip file, especially since it uses 50+ engines to find things. If you do locate something, carve up the big .zip into smaller .zips and then rescan each one. Repeat the process until you’re dealing with a much small file set than ‘everything’ and you can use some diff’ing to see what should be there with what is actually there.

I’ve sort of gravitated towards web ops in the past few years and I build servers on the proviso that they are sacrificial. The data inside it is as portable as it can be, and appropriately backed up, so that if a bad thing happens I can grab the stuff, restore the backups and have a new server built from scratch in under an hour.

(Drop me a line if you want to talk about this further – it’s a commercial offering if you’re interested.)

miles · 2018-05-20 17:26:16

gaekwad wrote #311901:

You are correct. It’s a useful tool for find something in a .zip file, especially since it uses 50+ engines to find things. If you do locate something, carve up the big .zip into smaller .zips and then rescan each one. Repeat the process until you’re dealing with a much small file set than ‘everything’ and you can use some diff’ing to see what should be there with what is actually there.

I’ve sort of gravitated towards web ops in the past few years and I build servers on the proviso that they are sacrificial. The data inside it is as portable as it can be, and appropriately backed up, so that if a bad thing happens I can grab the stuff, restore the backups and have a new server built from scratch in under an hour.

(Drop me a line if you want to talk about this further – it’s a commercial offering if you’re interested.)

Thank you mate. PM’d you

Textpattern CMS

Textpattern CMS support forum

#1 2018-05-12 08:12:49