I keep getting hacked even on fresh install

  • viralinnature

    (@viralinnature)


    2 months, 1 week ago

    I have a reseller package with Bluehost for the past 11 years. They stopped selling reseller packages about a decade ago so I know the server I am on is from 2009. Very outdated. On Dec 9, several sites in my WHM got hacked. I’ve gone through a long checklist of all the things to do such as change passwords, 2FA, even changed computers.
    This one site in particular I recently did the following:

    1. Deleted all ftp accounts, MySQL databases, all files, deleted extra records they added to the domain, everything so basically starting from scratch cPanel and server.

    2. Installed a fresh copy of WordPress and a maintenance mode plugin, Malcare, and Wordfence.

    Sure enough, it took about 48 hours for it to be hacked again. The files they are adding are as follows:
    robots.txt
    simple.php
    chosen.php
    .htaccess (modified)
    groupon.php
    sample.php
    .user.ini
    index.php (modified)
    network.php

    They also got other accounts in my WHM. If I moved to an entirely new server would that get rid of it? I could really use some help or even a point in the right direction if you know the name of this hack. One person told me it might be the Japanese Keyword Hack.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • catacaustic

    (@catacaustic)

    2 months, 1 week ago

    Are the other sites on your WHM server running WordPress too? If at least one isn’t then it’s 100% a server problem, probably due to an out-dated WHM version. As you said, this server is most likely old, so it won’t get updates.

    The best place to start is to ask your hosting company about this and see what their take is. Moving to a new server might help, but only if that server has up-to-date software and doesn’t have the same vulnerabilities that the current one does. Again, you’d need to talk to your hosting company about this.

    Thread Starter viralinnature

    (@viralinnature)

    2 months, 1 week ago

    Yes. Some are Joomla. I’ve spent many hours on the phone with them. Their attitude to a customer who has been with them for over a decade is
    “this is an old server we are selling you. Would you like to upgrade to a virtual server for 4 times the price?”

    This is their operating system:
    OS CentOS v7.9.2009 STANDARD kvm
    cPanel Version 110.0.50

    Thread Starter viralinnature

    (@viralinnature)

    2 months, 1 week ago

    I just looked up their their operating system:
    CentOS 7.9.2009 was released 10 years ago, in July 2014. CentOS 7 reached the end of its life on June 30, 2024. This means that the CentOS project will no longer provide updates or security patches for CentOS 7. 

    Explanation

    • CentOS 7 is no longer supported, which means that systems running it are at risk of cyberattacks and data leaks. 
    • Red Hat announced that CentOS 7 will be discontinued in 2024 to focus on Red Hat Enterprise Linux development. 
    • CentOS Stream 9 is one possible migration path from CentOS 7. 
    catacaustic

    (@catacaustic)

    2 months, 1 week ago

    Then you have your answer.

    Either upgrade to a new serve with them, or move to a newer and more secure server somewhere else. There is really nothing else that can be done.

    (note: please don’t ask for recommendations here… the mods to tend to frown upon that discussion)

    magefix

    (@magefix)

    2 months ago

    Hello, I recently fixed a server with the same issue & wrote about it. Most likely, the server setup is not properly configured. If the “chosen.php” file keeps coming back, the attackers may’ve triggered PHP scripts in the background.

    Before anything else, I recommend you to follow these steps:

    1. Disable each website by renaming public_html folder and, if malware returns under the empty public_html folder, suspend the accounts
    2. Check the Security Advisor under WHM, see if you have control there. It’s important to switch to mod_ruid2, and disable the shell access for each user
    3. Keep only PHP ver. 7.4 and PHP 8.1 and make sure the following PHP functions are disabled proc_open, exec, shell_exec, system, passthru, popen
    4. Change the cPanel password for each account & disable the FTP accounts

    I think it’s important to take things back under control, until the malicious activity will stop. Then, gradually, you can perform cleanup for each website.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.