Can not delete or edit file.

July 23, 2019 845 views
Apache Applications CMS WordPress

Hello,
I am working on a hacked wordpress site.
and i have seen many malicious content inside.
i have deleted most of those files except one.
i can not delete that root file index.php or even can not edit that.
can not change the file permission too.
changing file permission, bring back the previous permission.

what should i do?

Thank you

5 Answers

Hello,

Probably the file is immutable.

You could check that by running this command:

lsattr

If you see an i tag in the attribures, then you could run the following to remove the immutable tag:

chattr -i index.php

Then you should be able to delete the file.

Hope that this helps!
Bobby

  • Hello Bobby
    Thank you for your replay.
    I have checked that and got the following.

    ~/html$ lsattr
    -------------e-- ./php.ini
    -------------e-- ./wp-links-opml.php
    ----------I--e-- ./wp-includes
    -------------e-- ./wordpress
    -------------e-- ./wp-trackback.php
    -------------e-- ./wp-content
    -------------e-- ./wp-load.php
    -------------e-- ./wp-config-sample.php
    -------------e-- ./license.txt
    -------------e-- ./index.html.orig
    -------------e-- ./wp-blog-header.php
    -------------e-- ./wp-signup.php
    -------------e-- ./xmlrpc.php
    -------------e-- ./wp-comments-post.php
    -------------e-- ./robots.txt
    -------------e-- ./index.php
    lsattr: Permission denied While reading flags on ./wp-config.php
    -------------e-- ./wp-login.php
    -------------e-- ./wp-admin
    -------------e-- ./wp-mail.php
    -------------e-- ./wp-cron.php
    -------------e-- ./wordfence-waf.php
    -------------e-- ./wp-settings.php
    -------------e-- ./wp-activate.php
    -------------e-- ./readme.html
    -------------e-- ./latest.zip
    
    

    What should i do?

    • Hello,

      The attributes on the index.php file look file.

      Are you running the commands as root or with sudo? Can you run sudo ls -lah in that directory and provide me with the output?

      Regards,
      Bobby

      • Thank you.
        I am running with sudo.
        and here is the result of the ls -lah

        drwxr-xr-x  9 www-data www-data 132K Jul 23 02:58 .
        drwxr-xr-x  3 www-data www-data 4.0K Oct 19  2016 ..
        -r--r--r--  1 www-data www-data  727 Jun 18  2018 .htaccess
        -rw-r--r--  1 root     root     1.0K Jul 23 02:58 ..htaccess.swp
        -rwxr-xr-x  1 www-data www-data 1.3K Oct 19  2016 index.html.orig
        -r--r--r--  1 www-data www-data 114K Jun 17  2018 index.php
        -rw-r--r--  1 www-data www-data  12M May 21 11:26 latest.zip
        -rwxr-xr-x  1 www-data www-data  20K Jun 19 10:15 license.txt
        -rw-r--r--  1 www-data www-data   38 Jul 19 02:30 php.ini
        drwxr-sr-x  2 www-data www-data 4.0K Apr 23 10:53 .quarantine
        -rwxr-xr-x  1 www-data www-data 7.3K Jun 19 10:15 readme.html
        -r--r--r--  1 www-data www-data 111K May 28  2018 robots.txt
        drwxr-sr-x  3 root     www-data 4.0K Sep 27  2018 .sucuriquarantine
        drwxrwxrwx  2 www-data www-data  12K Jul 22 12:32 .tmb
        -rw-r--r--  1 www-data www-data  343 Jul 22 13:37 wordfence-waf.php
        drwxr-xr-x  5 www-data www-data 4.0K Jul 19 02:14 wordpress
        -rwxr-xr-x  1 www-data www-data 6.8K Jun 18 00:33 wp-activate.php
        drwxr-xr-x 10 www-data www-data 4.0K Jun 18 00:33 wp-admin
        -rwxr-xr-x  1 www-data www-data  369 Jun 18 00:33 wp-blog-header.php
        -rwxr-xr-x  1 www-data www-data 2.3K Jun 18 00:33 wp-comments-post.php
        -rw-------  1 www-data www-data 3.3K Jul 20 10:11 wp-config.php
        -rwxr-xr-x  1 www-data www-data 2.9K Jun 18 00:33 wp-config-sample.php
        drwxr-xr-x 13 www-data www-data 4.0K Jul 23 06:12 wp-content
        -rwxr-xr-x  1 www-data www-data 3.8K Jun 18 00:33 wp-cron.php
        drwxr-xr-x 20 www-data www-data  12K Jun 18 00:34 wp-includes
        -rwxr-xr-x  1 www-data www-data 2.5K Jun 18 00:33 wp-links-opml.php
        -rwxr-xr-x  1 www-data www-data 3.3K Jun 18 00:33 wp-load.php
        -rwxr-xr-x  1 www-data www-data  39K Jun 19 10:15 wp-login.php
        -rwxr-xr-x  1 www-data www-data 8.3K Jun 18 00:33 wp-mail.php
        -rwxr-xr-x  1 www-data www-data  19K Jun 18 00:33 wp-settings.php
        -rwxr-xr-x  1 www-data www-data  31K Jun 18 00:33 wp-signup.php
        -rwxr-xr-x  1 www-data www-data 4.7K Jun 18 00:33 wp-trackback.php
        -rwxr-xr-x  1 www-data www-data 3.0K Jun 18 00:33 xmlrpc.php
        
        
        • Hello,

          It looks like that your index.php file is currently with read only permissions, note the -r--r--r-- part at the beginning of the line.

          To change that run:

          chmod u+w index.php
          

          This would give write8 permissions to the owner of the file and you should be able to edit it as normal.

          Let me know how it goes!
          Bobby

          • hello bobby,
            I was able to change the file permission to rw-r-r, but when I make changes on it, it does not make any changes and goes back to the previous permission rule that is r-r-r.
            the file can not be overwritten.
            What should I do?

          • Hello,

            This could be due to a few things:

            • Check if there are any cronjobs setup that could be changing the permissions
            • If you have a security plugin like Wordfence, check if your security plugin is not making those changes
            • Maybe there is a backdoor that allowing the attacker to triggered some commands externally - make sure to add a deny from all rule in your htaccess file while you are cleaning the site

            Let me know how it goes!
            Bobby

Thank you @bobbyiliev
I have checked the cronjob, but nothing found.
wordfence works find, except removing bad code from that index.php file.
i have changed the .htaccess file, but after update, it rewrite again autometically and the following line added.

#----------------------------------------------------------------------
# Rewrite from HTTP to HTTPS - if you want to use it, comment it out
# ----------------------------------------------------------------------
#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteRule ^(.*)\/(benzylpenicillin)\/([0-9]+)_([0-9]+)\/(.*)$ ?benzylpenicillin$4=$3&%{QUERY_STRING}[L]
#</IfModule>```

how this is happening autometically?
  • It must be one of your plugins, I could suggest trying to disable them one by one and see which one is causing it. But it is most likely Wordfence, just try deleting if as a test and then change the index.php file permissions again.

    Also have you tried deleting the index.php file and uploading a clean version of the file?

    • I tried all the ways.
      disable all the plugins and try to rename that index.php folder or edit the folder. nothing happens. that index.php file can not be changed.
      RewriteRule ^(.*)\/(benzylpenicillin)\/([0-9]+)_([0-9]+)\/(.*)$ ?benzylpenicillin$4=$3&%{QUERY_STRING}[L]
      check this line, hacker somehow add some script somewhere, that trigger not to rewrite or delete that index.php file.
      and also that hidden script added the line of code automatically into the .htaccess file, whenever I am trying to make any changes on that .htaccess file.
      how can I find?

      • Try grepping for that word:

        sudo grep -rli "benzylpenicillin" *
        

        And also try running a find for a file with that name:

        sudo find . -iname "*benzylpenicillin*"
        

        That way you should be able to locate the backdoor.

        Let me know how it goes!
        Bobby

        • here is the reqult.

          name@wp:~$ sudo grep -rli "benzylpenicillin" *
          [sudo] password for name: 
          html/wp-content/aiowps_backups/.htaccess.backup
          html/.htaccess
          html/index.php
          name@wp:~$ sudo find . -iname "*benzylpenicillin*"
          name@wp:~$ 
          
          
          • Ok and what exactly is the output/error when you try to delete the files:

            sudo rm -f index.php .htaccess
            

            Regards,
            Bobby

@bobbyiliev the .htaccess file now been deleted but the index.php is still there.
and again the .htaccess come with the following rules.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
RewriteRule ^(.*)\/(benzylpenicillin)\/([0-9]+)_([0-9]+)\/(.*)$ ?benzylpenicillin$4=$3&%{QUERY_STRING}[L]
</IfModule>
  • Can you try running this command to check if the index file is being used by another process:

    lsof -f -- index.php
    

    You could paste the output here so I could advise you further.

    • nothing return.

      • Hello,

        Maybe then it is something to do with SELinux. To see what the SELinux context allows you to do, run

        ls -lZ . index.php
        

        Then just paste the output here.

        Also try running this:

        lsattr -d . index.php
        

        Maybe the directory that contains it has the append-only or immutable attributes.

        Regards,
        Bobby

        • hello
          thank you for your replay.
          here is the output of those commands.

          name@wp:~/html$ ls -lZ . index.php
          -r--r--r-- 1 www-data www-data ? 115811 Jun 19  2018 index.php
          
          .:
          total 12268
          -rwxr-xr-x  1 www-data www-data ?     1324 Oct 19  2016 index.html.orig
          -r--r--r--  1 www-data www-data ?   115811 Jun 19  2018 index.php
          -rw-r--r--  1 www-data www-data ? 12119857 May 21 11:26 latest.zip
          -rwxr-xr-x  1 www-data www-data ?    19935 Jun 19 10:15 license.txt
          -rwxr-xr-x  1 www-data www-data ?     7447 Jun 19 10:15 readme.html
          -r--r--r--  1 www-data www-data ?   112914 May 28  2018 robots.txt
          -rwxr-xr-x  1 www-data www-data ?     6919 Jun 18 00:33 wp-activate.php
          drwxr-xr-x 10 www-data www-data ?     4096 Jun 18 00:33 wp-admin
          -rwxr-xr-x  1 www-data www-data ?      369 Jun 18 00:33 wp-blog-header.php
          -rwxr-xr-x  1 www-data www-data ?     2283 Jun 18 00:33 wp-comments-post.php
          -rw-r--r--  1 www-data www-data ?     3332 Jul 24 12:40 wp-config.php
          -rwxr-xr-x  1 www-data www-data ?     2898 Jun 18 00:33 wp-config-sample.php
          drwxr-xr-x 12 www-data www-data ?     4096 Jul 25 02:32 wp-content
          -rwxr-xr-x  1 www-data www-data ?     3847 Jun 18 00:33 wp-cron.php
          drwxr-xr-x 20 www-data www-data ?    12288 Jun 18 00:34 wp-includes
          -rwxr-xr-x  1 www-data www-data ?     2502 Jun 18 00:33 wp-links-opml.php
          -rwxr-xr-x  1 www-data www-data ?     3306 Jun 18 00:33 wp-load.php
          -rwxr-xr-x  1 www-data www-data ?    39551 Jun 19 10:15 wp-login.php
          -rwxr-xr-x  1 www-data www-data ?     8403 Jun 18 00:33 wp-mail.php
          -rwxr-xr-x  1 www-data www-data ?    18962 Jun 18 00:33 wp-settings.php
          -rwxr-xr-x  1 www-data www-data ?    31085 Jun 18 00:33 wp-signup.php
          -rwxr-xr-x  1 www-data www-data ?     4764 Jun 18 00:33 wp-trackback.php
          -rwxr-xr-x  1 www-data www-data ?     3068 Jun 18 00:33 xmlrpc.php
          name@wp:~/html$ 
          name@wp:~/html$ lsattr -d . index.php
          ----------I--e-- .
          -------------e-- index.php
          
          
          • That’s really strange. It all looks correct.

            Can you try running chmod 644 index.php
            And then rm -f index.php

            Does this give you an error? If you don’t get an error, maybe the file is being recreated right after it is deleted. If you get an error can you share it here?

@bobbyiliev Thank you. We didn’t get any error any time so it might be recreated after it is deleted. The .htaccess file can be deleted but is being recreated as a hidden file within 3 or 4 seconds.

  • I see, maybe there is a backdoor that is recreating the file. I would recommend the following:

    • Delete all of your Wordpress core files and upload clean ones
    • Delete all plugins and themes that are not being used
    • Try removing and installing clean versions of your plugins and theme

    As a test to check if the file is being created you can run this:

    rm -f index.php ; touch index.php; chmod 600 index.php ; ls -l index.php ; cat index.php
    

    This will delete the file, create a new one, set the permissions to 600 and then list the file and show it’s content. Then give it a minute or two and check the content again to see if the malicious code is back.

    Let me know how it goes.
    Regards,
    Bobby

    • Hello,
      Thank you for your replay.
      here is the output of the command.

      https://gist.github.com/ehsanatwork/982f898f8121c824b4fd21504c15a74c

      and if i run the command with sudo, this is the output.

      sudo rm -f index.php ; touch index.php; chmod 600 index.php ; ls -l index.php ; cat index.php
      [sudo] password for name: 
      touch: cannot touch 'index.php': Permission denied
      chmod: cannot access 'index.php': No such file or directory
      ls: cannot access 'index.php': No such file or directory
      cat: index.php: No such file or directory
      

      same thing happen again.

      • As far as I can see from the output, the file is actually being deleted but it is probably being recreated after that by another malicious file. As this seems really badly compromised I would suggest you the following:

        • Create a database backup

        • Backup your /wp-content/uploads/ directory - make sure that there are no .php files. You can find that with this command: find wp-content/uploads -name "*.php"

        • Take note of every plugin you have installed (do not backup these files, as they are most likely compromised)

        • Delete everything

        • Reinstall Wordpress, import your database backup and then add your wp-content/uploads folder back

        Let me know how it goes!
        Bobby

Have another answer? Share your knowledge.