Category Archives: php

10Feb/16

ntPHPselector :: Released v3.0.0 Beta

The new version of ntPHPselector is ready for Centos 6 servers. It is not compatible with Centos 7 servers. If you are using Centos 6, you can update the plugin to the latest version using the following commands.

#Removed, since new version is released Click here

cd /usr/local/src
wget -N https://nixtree.com/download/free/ntphpselector_manage_beta.sh
sh ntphpselector_manage_beta.sh update

It will install the new version ( 5.6 ) and update the other version to the latest release. So make sure to run this in screen and it take time to complete, since it reuqire to recompile/update all the php versions installed in the server. Continue reading

13Dec/14

Detecting WordPress Outbound Bruteforce attack

We have heard a lot about the WordPress inbound Bruteforce attacks. On checking we can see the inbound attack IP’s  may have cpanel installed and  are actually generating from some other server which is infected.

Two day before,we  got a message from a client of ours saying data center has informed them that server is infected and is generating attacks on other servers. Initially I am not able to get any of the details regarding the attack as no rogue process is running neither scan using gave me any valid clue on this attack .

I was just checking the result of tcpdump to see the what all data is being transferred from the server.

user@host ~ # tcpdump -A -i eth0 -s 1500 port not 22

While checking the results I can see something is going on and many wp-login.php entry was going on.

Sample tcpdump Output (changed domain and hostnames)

v.G....pPOST /restaurants/wp-login.php HTTP/1.0^M
Host: domain.com^M
Content-Type: application/x-www-form-urlencoded^M
Content-Length: 30^M
^M
log=admin&pwd=minedoruksay2940
06:15:22.056294 IP host5.domain.com > host6.domain.com48202: Flags [P.], seq 2779525802:2779527849, ack 2761432155, win 3216, options [nop,nop,TS val 166530731 ecr 1994475337], length 2047

I tried to stop apache and mysql ,psa, and still some process were running as www-data user and the process was some thing like the below.

www-data 1258 10.8 1.5 18327 1268 ? Ssl Dec10 129:10 /usr/bin/host 

I took the lsof result of this command and I got the culprit (account ) responsible for this attack 🙂 Thanks to lsof command to give me correct location and scripts.

Relevant output from lsof command

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
host 20636 username cwd DIR 9,2 4096 60874901 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js
host 20636 username rtd DIR 9,2 4096 2 /
host 20636 username txt REG 9,2 120240 68160132 /usr/bin/host
host 20636 username DEL REG 9,2 60817452 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/bruteforce.so
host 20636 username mem REG 9,2 22928 23855190 /lib/libnss_dns-2.11.3.so
host 20636 username mem REG 9,2 51728 23855282 /lib/libnss_files-2.11.3.so
host 20636 username mem REG 9,2 12582912 60827148 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/.frsdfg
host 20636 username DEL REG 9,2 60817412 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/libworker.so
cwd : /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js

The above entry from lsof means attack is being generated from this folder and scripts are located in this location.

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/bruteforce.so

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/.frsdfg

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/libworker.so

Above 3 files are the main hack files in which /bruteforce.so was not present in the server at that time . This script was removed soon after the attack in initiated.

To fix this , I have removed the entire “js” folder and then kill all these process. Also asked client to remove the plugin. It will be good if we can remove the host binary (/usr/bin/host) file. If it is there, they can again come back with the attack and can kill the server reputation within few hours.

06Aug/14

Multiple Versions of PHP in plesk

 

By default, in latest version of plesk we will have 5.4 version of php. So if you need additional php version, you can install seperatly and those additional  version will be available in fastcgi and cgi handlers.

Installtion Steps for php 5.2.17 version

# cd /usr/local/src
# wget http://museum.php.net/php5/php-5.2.17.tar.gz
# tar -zxvf php-5.2.17.tar.gz
# cd php-5.2.17
# ./configure --with-libdir=lib64 --cache-file=./config.cache --prefix=/usr/local/php-5.2.17 --with-config-file-path=/usr/local/php-5.2.17/etc --disable-debug --with-pic --disable-rpath --with-bz2 --with-curl --with-freetype-dir=/usr/local/php-5.2.17 --with-png-dir=/usr/local/php-5.2.17 --enable-gd-native-ttf --without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr/local/php-5.2.17 --with-openssl --with-pspell --with-pcre-regex --with-zlib --enable-exif --enable-ftp --enable-sockets --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx --with-kerberos --with-unixODBC=/usr --enable-shmop --enable-calendar --with-libxml-dir=/usr/local/php-5.2.17 --enable-pcntl --with-imap --with-imap-ssl --enable-mbstring --enable-mbregex --with-gd --enable-bcmath --with-xmlrpc --with-ldap --with-ldap-sasl --with-mysql=/usr --with-mysqli --with-snmp --enable-soap --with-xsl --enable-xmlreader --enable-xmlwriter --enable-pdo --with-pdo-mysql --with-pdo-pgsql --with-pear=/usr/local/php-5.2.17/pear --with-mcrypt --without-pdo-sqlite --with-config-file-scan-dir=/usr/local/php-5.2.17/php.d --enable-fastcgi
# make 
# make install

There may be some error while compiling and you need to make necessary changes in the configure as per your need / your server.

# cp /usr/local/src/php-5.2.17/php.ini-recommended /usr/local/php-5.2.17/etc/php.ini

Make necessary changes in the php.ini like timezone setting, memory limit etc.

Inorder to register this php version in plesk, we need to use the below command.

# /usr/local/psa/bin/php_handler --add -displayname "PHP 5.2.17" -path /usr/local/php-5.2.17/bin/php-cgi -phpini /usr/local/php-5.2.17/etc/php.ini -type fastcgi -id "fastcgi-5.2.17"

You will get a message like ” The new PHP handler with the id “fastcgi-5.2.17″ was successfully registered”

Installtion Steps for php 5.3.28 version

# cd /usr/local/src
# wget http://in1.php.net/distributions/php-5.3.28.tar.gz
# tar -zxvf php-5.3.28.tar.gz
# cd php-5.3.28
# ./configure --with-libdir=lib64 --cache-file=./config.cache --prefix=/usr/local/php-5.3.28 --with-config-file-path=/usr/local/php-5.3.28/etc --disable-debug --with-pic --disable-rpath --with-bz2 --with-curl --with-freetype-dir=/usr/local/php-5.3.28 --with-png-dir=/usr/local/php-5.3.28 --enable-gd-native-ttf --without-gdbm --with-gettext --with-gmp --with-iconv --with-jpeg-dir=/usr/local/php-5.3.28 --with-openssl --with-pspell --with-pcre-regex --with-zlib --enable-exif --enable-ftp --enable-sockets --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-wddx --with-kerberos --with-unixODBC=/usr --enable-shmop --enable-calendar --with-libxml-dir=/usr/local/php-5.3.28 --enable-pcntl --with-imap --with-imap-ssl --enable-mbstring --enable-mbregex --with-gd --enable-bcmath --with-xmlrpc --with-ldap --with-ldap-sasl --with-mysql=/usr --with-mysqli --with-snmp --enable-soap --with-xsl --enable-xmlreader --enable-xmlwriter --enable-pdo --with-pdo-mysql --with-pdo-pgsql --with-pear=/usr/local/php-5.3.28/pear --with-mcrypt --without-pdo-sqlite --with-config-file-scan-dir=/usr/local/php-5.3.28/php.d --without-sqlite3 --enable-intl
# make 
# make install

There may be some error while compiling and you need to make necessary changes in the configure as per your need / your server.

# cp -a /etc/php.ini /usr/local/php-5.3.28/etc/php.ini

Make necessary changes in the php.ini like timezone setting, memory limit etc.

Inorder to register this php version in plesk, we need to use the below command.

# /usr/local/psa/bin/php_handler --add -displayname "5.3.28" -path /usr/local/php-5.3.28/bin/php-cgi -phpini /usr/local/php-5.3.28/etc/php.ini -type fastcgi -id "fastcgi-5.3.28"

You will get a message like ” The new PHP handler with the id “fastcgi-5.3.28″ was successfully registered.”

After this try to login to plesk and see if these additional php version are available in fastcgi and cgi handlers.

If all good then you are set to use all these additional php version in plesk.