Question

My site index.php gets attack twice a day & index.php is changed automatically with unreadable code.

Posted November 17, 2021 66 views
Linux BasicsNginxPHPDigitalOceanPostgreSQL

One of my site https://www.noobsplanet.com is hacked twice a day, seems like some malware or bot attack is being done. It’s like almost a month now I have been facing this issue daily. This site is actually a xenforo cms, but the index.php changed to wordpress index.php with some unreadable code. I have attached them below. I have to replace index.php everyday to make it work. Please help me address this issue.
I have changed password for root, digital ocean & also cms admin but the issue is same.
Thanks.

Original index.php
Hacked index.php

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

This sounds like a vulnerability in your CMS rather than a server vulnerability.

What I could suggest is checking your access logs and finding out what request is used to insert this malicious code into the index.php file.

What you could do is first check the time that the index.php file was modified (you can use ls -lah index.php to check that), and then in your access log, look for this specific time period.

Once you have the request that is responsible for the problem, you will be able to tell which part of your CMS is being exploited and patch it.

I am not very familiar with Xenforo itself but I would recommend making sure that you do the following:

  • Make sure that you are running the latest version of xenforo so that it includes all of the latest security patches
  • Update all of the plugins and themes that you have for Xenforo
  • Remove all of the themes and plugins that you are not using

Let me know how it goes.
Regards,
Bobby

  • Thank you for your quick response @bobbyiliev . As suggested by you I have noted the date of change for index.php and checked the access log but there’s only some google and bing bots check the log. . For xenforo as you mentioned I have already upgraded it to latest version & removed unused plugin. Also I have enabled myself two-factor authentication. Also now it seems like some one is trying dos attack, because I cannot access my site although after server reboot. After reboot also it shows 90+ cpu usage (98.0% in below attached screen text).

    I remembered correctly, I have executed this few months before like below. Was doing this vulnerable ??

    chown -R www-data:www-data /var/www/
    chmod -R 755 /var/www/
    
    
     1377 www-data  20   0  304588  38076  33896 R  98.0   1.9   4:45.08 php-fpm7.4                        
         10 root      20   0       0      0      0 R   0.3   0.0   0:00.85 ksoftirqd/0                       
       2155 root      20   0 1024.6g  93816      0 S   0.3   4.6   0:04.37 graphql-engine                    
          1 root      20   0  104260   8940   6180 S   0.0   
    
  • Today something different POST request were found in access.log, please check [this](http://https://pastebin.com/fHiLN2Hp , now this might address the issue.

    • Hello,

      As far as I can see there are some suspicious requests going to the wikindex.php file. I would recommend reviewing the code and possibly patching it, or if it is part of an extension, it would be a good idea to report it to the extension developers.

      I also came across this discussion here:

      https://xenforo.com/community/threads/someone-hacked-my-forum.175219/page-2

      People are suggesting that you should not install any extensions that are not reliable sources and they recommend doing research on the developer or addons before you add them to your site.

      Let me know how it goes.