Montebello Park Hosting Support - User contributions [en]

Rogue PHP Spam Scripts

2022-03-27T17:39:26Z

Scott: /* Wordpress (or other CMS) Maintenance */

One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email, but occasionally they are mining crypto currency.

== Identification ==
Usually the SPAM variety of these scripts first shows via the mail queue or a notification of an account exceeding its hourly send limit. On occasion you will notice the email script via processor usage, but more often, that is a symptom of the crypto mining scripts. These scripts are often surprisingly smart. They usually limit themselves to a fairly reasonable amount of processor utilization to avoid detection.

== Troubleshooting ==
Once you've determined you have an infection, you need to find where the scripts are. We've found a few ways to locate the scripts in question.

=== Email Headers ===
This is the easiest and most obvious way to find the source. The email server inserts <code>X-</code> headers that provide the script location.

'''For example:'''
'''X-Mailer:''' PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
'''X-PHP-Originating-Script:''' 1010:bwqgvgbw.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
'''X-PHP-Script:''' domain.com/wp-content/gallery/government/thumbs/bwqgvgbw.php for 198.100.100.100

* <code>X-Mailer</code> describes the engine used to process the emails from the script.
* <code>X-PHP-Originating-Script</code> provides the file name of the script, in this case <code>bwqgvgbw.php</code>. This is a common type of name for these scripts. They will usually be a seemingly random set of characters. Sometimes they will be a .php script in a folder where .php files tend not to be. I've found most of the scripts that do the actual heavy lifting are about the same size as well (which is why the <code>find</code> command can be useful to find scripts that aren't yet active.
* <code>X-PHP-Script</code> provides the full path of the script. In this case it was hiding within the gallery folders in the Wordpress installation.

=== maldet ===
[https://github.com/rfxn/linux-malware-detect maldet] tends not to detect these sorts of issues, but is good to run occasionally in any case.

=== find ===
The [https://kb.iu.edu/d/admm find] command can be useful once you've identified the characteristics of your infection. You can use it to search for similar files based on type, size, and even modification date.

==== Size ====
The find command I've used to fins a particular size file is:
find /home/ -type f -ipath *.php -size 85k -exec ls -lh {} \;

This looks for '''85 K''' '''php''' files in all subdirectories of the '''home''' directory.

==== Date ====
A similar find command for dates is:
find /home/ -type f -ipath *.php -newermt 2018-01-28 ! -newermt 2018-01-29 -exec ls -lh {} \;

This looks for '''php''' files that were modified between '''2018-01-28''' and '''2018-01-29''' (really after '''2018-01-28''' but not after '''2018-01-29''') in all subdirectories of the '''home''' directory.

== Solutions ==
We recommend a multi pronged approach to remove the issue.

=== Imunify+ ===
This runs regularly on all our servers, but it is important to review the detections and clean any infected files regularly.

=== ClamAV ===
You should run this regularly anyway, but especially now. If you've been compromised by something that can upload a php script, it's probable that isn't the only thing that's been uploaded to your server.

Simply go to your cPanel and run the Virus Scanner.

=== Deleting Identified Scripts ===
Once you have identified the <code>php</code> files that are causing issues, simply delete them. I tend to just use the built in file manager in cPanel, but you can do it all via SSH or sFTP as well.

=== Change your Passwords! ===
I would change your cPanel account passwords '''and''' the Admin & user passwords for your CMS.

=== Adjusting Mail Limits ===
If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.

There are details on setting email limits on cPanel [https://documentation.cpanel.net/display/CKB/How+to+Set+Email+Send+Limits here].
* To manage domain-level limits, you must manually edit /var/cpanel/users/username.
* To manage account-level limits, set the “Maximum Hourly Email by Domain Relayed” field in the Modify an Account interface in WHM.
* To manage global limits, set the “Max hourly emails per domain” option in the Tweak Settings interface in WHM.

=== WordPress (or other CMS) Maintenance ===
This is a great opportunity to update your WordPress install and check your [[WordPress Setup]] settings in WordPress Toolkit. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.

Rogue PHP Spam Scripts

2022-03-27T17:37:51Z

Scott: /* Solutions */

One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email, but occasionally they are mining crypto currency.

== Identification ==
Usually the SPAM variety of these scripts first shows via the mail queue or a notification of an account exceeding its hourly send limit. On occasion you will notice the email script via processor usage, but more often, that is a symptom of the crypto mining scripts. These scripts are often surprisingly smart. They usually limit themselves to a fairly reasonable amount of processor utilization to avoid detection.

== Troubleshooting ==
Once you've determined you have an infection, you need to find where the scripts are. We've found a few ways to locate the scripts in question.

=== Email Headers ===
This is the easiest and most obvious way to find the source. The email server inserts <code>X-</code> headers that provide the script location.

'''For example:'''
'''X-Mailer:''' PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
'''X-PHP-Originating-Script:''' 1010:bwqgvgbw.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
'''X-PHP-Script:''' domain.com/wp-content/gallery/government/thumbs/bwqgvgbw.php for 198.100.100.100

* <code>X-Mailer</code> describes the engine used to process the emails from the script.
* <code>X-PHP-Originating-Script</code> provides the file name of the script, in this case <code>bwqgvgbw.php</code>. This is a common type of name for these scripts. They will usually be a seemingly random set of characters. Sometimes they will be a .php script in a folder where .php files tend not to be. I've found most of the scripts that do the actual heavy lifting are about the same size as well (which is why the <code>find</code> command can be useful to find scripts that aren't yet active.
* <code>X-PHP-Script</code> provides the full path of the script. In this case it was hiding within the gallery folders in the Wordpress installation.

=== maldet ===
[https://github.com/rfxn/linux-malware-detect maldet] tends not to detect these sorts of issues, but is good to run occasionally in any case.

=== find ===
The [https://kb.iu.edu/d/admm find] command can be useful once you've identified the characteristics of your infection. You can use it to search for similar files based on type, size, and even modification date.

==== Size ====
The find command I've used to fins a particular size file is:
find /home/ -type f -ipath *.php -size 85k -exec ls -lh {} \;

This looks for '''85 K''' '''php''' files in all subdirectories of the '''home''' directory.

==== Date ====
A similar find command for dates is:
find /home/ -type f -ipath *.php -newermt 2018-01-28 ! -newermt 2018-01-29 -exec ls -lh {} \;

This looks for '''php''' files that were modified between '''2018-01-28''' and '''2018-01-29''' (really after '''2018-01-28''' but not after '''2018-01-29''') in all subdirectories of the '''home''' directory.

== Solutions ==
We recommend a multi pronged approach to remove the issue.

=== Imunify+ ===
This runs regularly on all our servers, but it is important to review the detections and clean any infected files regularly.

=== ClamAV ===
You should run this regularly anyway, but especially now. If you've been compromised by something that can upload a php script, it's probable that isn't the only thing that's been uploaded to your server.

Simply go to your cPanel and run the Virus Scanner.

=== Deleting Identified Scripts ===
Once you have identified the <code>php</code> files that are causing issues, simply delete them. I tend to just use the built in file manager in cPanel, but you can do it all via SSH or sFTP as well.

=== Change your Passwords! ===
I would change your cPanel account passwords '''and''' the Admin & user passwords for your CMS.

=== Adjusting Mail Limits ===
If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.

There are details on setting email limits on cPanel [https://documentation.cpanel.net/display/CKB/How+to+Set+Email+Send+Limits here].
* To manage domain-level limits, you must manually edit /var/cpanel/users/username.
* To manage account-level limits, set the “Maximum Hourly Email by Domain Relayed” field in the Modify an Account interface in WHM.
* To manage global limits, set the “Max hourly emails per domain” option in the Tweak Settings interface in WHM.

=== Wordpress (or other CMS) Maintenance ===
This is a great opportunity to update your Wordpress install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.

WordPress Setup

2022-03-27T17:24:49Z

Scott: /* Recommended Security */

== WordPress Best Practices ==
* Keep Wordpress Core and all plugins and themes updated
* Remove all unused plugins and themes
* Practice good [https://www.crashplan.com/en-us/business/resources/password-hygiene-best-practices/ password hygiene]
** Use strong passwords
** Do not reuse passwords
** Enable two-factor authentication where possible
** Use a trusted password manager such as 1Password

== Recommended WordPress Toolkit Settings ==
=== Updates ===
[[File:WP-Toolkit-Update-Settings.png|thumb|right|alt=WP Toolkit Update Settings|Update Settings]]
Recommended update settings for WordPress core, plugins, and themes:
* Update WordPress automatically
** Yes, but only minor (security) updates: With this setting you will only get security updates automatically and will have to install major/feature updates yourself. This is the absolute ''minimum recommended'' setting.
** Yes, all (minor and major) updates: With this setting all updates will be installed. You will need to check your site after a major update to make sure nothing has been broken by the update. If you have a simple site without many 3rd party plugins or themes this is recommended.
* Update plugins automatically
** Defined individually, but security updates are autoinstalled: Autoupdate settings for each plugin are followed, vulnerable plugins will be updated automatically regardless of their settings. This is the ''minimum recommended'' setting.
** Forced: All plugins will be autoupdated regardless of their settings. This is the ''preferred'' setting.
* Update themes automatically
** Defined individually, but security updates are autoinstalled: Autoupdate settings for each theme are followed, vulnerable themes will be updated automatically regardless of their settings. This is the ''minimum recommended'' setting.
** Forced: All themes will be autoupdated regardless of their settings. This is the ''preferred'' setting.

=== Minimum Security ===
[[File:Recommended-Minimum-Security-Settings.png|thumb|right|alt=Minimum Security Settings|Minimum Security Settings]]
Enact the following WP Toolkit Security recommendations (at a minimum):
* Restrict access to files and directories
* Block directory browsing
* Block unauthorized access to wp-config.php
* Disable PHP execution in cache directories
* Block access to sensitive files
* Forbid execution of PHP scripts in the wp-includes directory
* Forbid execution of PHP scripts in the wp-content/uploads directory
* Block access to .htaccess and .htpasswd

=== Recommended Security ===
[[File:Preferred-Security-Settings.png|thumb|right|alt=Preferred WordPress Toolkit Security Settings|Preferred Security Settings]]
Enact these security settings in addition to the above:
* Configure security keys
* Disable scripts concatenation for WordPress admin panel
* Turn off pingbacks
* Change default database table prefix
* Enable bot protection
* Block access to potentially seneitive files
* Change default administrator's username

== Addon Domains ==
When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary <code>'''public_html'''</code> folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.

WordPress Setup

2022-03-27T17:24:30Z

Scott: /* Minimum Security */

== WordPress Best Practices ==
* Keep Wordpress Core and all plugins and themes updated
* Remove all unused plugins and themes
* Practice good [https://www.crashplan.com/en-us/business/resources/password-hygiene-best-practices/ password hygiene]
** Use strong passwords
** Do not reuse passwords
** Enable two-factor authentication where possible
** Use a trusted password manager such as 1Password

== Recommended WordPress Toolkit Settings ==
=== Updates ===
[[File:WP-Toolkit-Update-Settings.png|thumb|right|alt=WP Toolkit Update Settings|Update Settings]]
Recommended update settings for WordPress core, plugins, and themes:
* Update WordPress automatically
** Yes, but only minor (security) updates: With this setting you will only get security updates automatically and will have to install major/feature updates yourself. This is the absolute ''minimum recommended'' setting.
** Yes, all (minor and major) updates: With this setting all updates will be installed. You will need to check your site after a major update to make sure nothing has been broken by the update. If you have a simple site without many 3rd party plugins or themes this is recommended.
* Update plugins automatically
** Defined individually, but security updates are autoinstalled: Autoupdate settings for each plugin are followed, vulnerable plugins will be updated automatically regardless of their settings. This is the ''minimum recommended'' setting.
** Forced: All plugins will be autoupdated regardless of their settings. This is the ''preferred'' setting.
* Update themes automatically
** Defined individually, but security updates are autoinstalled: Autoupdate settings for each theme are followed, vulnerable themes will be updated automatically regardless of their settings. This is the ''minimum recommended'' setting.
** Forced: All themes will be autoupdated regardless of their settings. This is the ''preferred'' setting.

=== Minimum Security ===
[[File:Recommended-Minimum-Security-Settings.png|thumb|right|alt=Minimum Security Settings|Minimum Security Settings]]
Enact the following WP Toolkit Security recommendations (at a minimum):
* Restrict access to files and directories
* Block directory browsing
* Block unauthorized access to wp-config.php
* Disable PHP execution in cache directories
* Block access to sensitive files
* Forbid execution of PHP scripts in the wp-includes directory
* Forbid execution of PHP scripts in the wp-content/uploads directory
* Block access to .htaccess and .htpasswd

=== Recommended Security ===
Enact these security settings in addition to the above:[[File:Preferred-Security-Settings.png|thumb|right|alt=Preferred WordPress Toolkit Security Settings|Preferred Security Settings]]
* Configure security keys
* Disable scripts concatenation for WordPress admin panel
* Turn off pingbacks
* Change default database table prefix
* Enable bot protection
* Block access to potentially seneitive files
* Change default administrator's username

== Addon Domains ==
When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary <code>'''public_html'''</code> folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.

WordPress Setup

2022-03-27T17:23:31Z

Scott:

== WordPress Best Practices ==
* Keep Wordpress Core and all plugins and themes updated
* Remove all unused plugins and themes
* Practice good [https://www.crashplan.com/en-us/business/resources/password-hygiene-best-practices/ password hygiene]
** Use strong passwords
** Do not reuse passwords
** Enable two-factor authentication where possible
** Use a trusted password manager such as 1Password

== Recommended WordPress Toolkit Settings ==
=== Updates ===
[[File:WP-Toolkit-Update-Settings.png|thumb|right|alt=WP Toolkit Update Settings|Update Settings]]
Recommended update settings for WordPress core, plugins, and themes:
* Update WordPress automatically
** Yes, but only minor (security) updates: With this setting you will only get security updates automatically and will have to install major/feature updates yourself. This is the absolute ''minimum recommended'' setting.
** Yes, all (minor and major) updates: With this setting all updates will be installed. You will need to check your site after a major update to make sure nothing has been broken by the update. If you have a simple site without many 3rd party plugins or themes this is recommended.
* Update plugins automatically
** Defined individually, but security updates are autoinstalled: Autoupdate settings for each plugin are followed, vulnerable plugins will be updated automatically regardless of their settings. This is the ''minimum recommended'' setting.
** Forced: All plugins will be autoupdated regardless of their settings. This is the ''preferred'' setting.
* Update themes automatically
** Defined individually, but security updates are autoinstalled: Autoupdate settings for each theme are followed, vulnerable themes will be updated automatically regardless of their settings. This is the ''minimum recommended'' setting.
** Forced: All themes will be autoupdated regardless of their settings. This is the ''preferred'' setting.

=== Minimum Security ===
Enact the following WP Toolkit Security recommendations (at a minimum):[[File:Recommended-Minimum-Security-Settings.png|thumb|right|alt=Recommended Security Settings|Recommended Security Settings]]
* Restrict access to files and directories
* Block directory browsing
* Block unauthorized access to wp-config.php
* Disable PHP execution in cache directories
* Block access to sensitive files
* Forbid execution of PHP scripts in the wp-includes directory
* Forbid execution of PHP scripts in the wp-content/uploads directory
* Block access to .htaccess and .htpasswd

=== Recommended Security ===
Enact these security settings in addition to the above:[[File:Preferred-Security-Settings.png|thumb|right|alt=Preferred WordPress Toolkit Security Settings|Preferred Security Settings]]
* Configure security keys
* Disable scripts concatenation for WordPress admin panel
* Turn off pingbacks
* Change default database table prefix
* Enable bot protection
* Block access to potentially seneitive files
* Change default administrator's username

== Addon Domains ==
When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary <code>'''public_html'''</code> folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.

WordPress Setup

2022-03-27T17:05:26Z

Scott:

== WordPress Best Practices ==
* Keep Wordpress Core and all plugins and themes updated
* Remove all unused plugins and themes
* Practice good [https://www.crashplan.com/en-us/business/resources/password-hygiene-best-practices/ password hygiene]
** Use strong passwords
** Do not reuse passwords
** Enable two-factor authentication where possible
** Use a trusted password manager such as 1Password

== Recommended WordPress Toolkit Settings ==
=== Updates ===
[[File:WP-Toolkit-Update-Settings.png|thumb|right|alt=WP Toolkit Update Settings|Update Settings]]
Recommended update settings for WordPress core, plugins, and themes:
* Update WordPress automatically
** Yes, but only minor (security) updates: With this setting you will only get security updates automatically and will have to install major/feature updates yourself. This is the absolute minimum recommended setting.
** Yes, all (minor and major) updates: With this setting all updates will be installed. You will need to check your site after a major update to make sure nothing has been broken by the update. If you have a simple site without many 3rd party plugins or themes this is recommended.
* Update plugins automatically
** Defined individually, but security updates are autoinstalled:
** Forced:
* Update themes automatically
** Defined individually, but security updates are autoinstalled:
** Forced:

=== Minimum Security ===
Enact the following WP Toolkit Security recommendations (at a minimum):[[File:Recommended-Minimum-Security-Settings.png|thumb|right|alt=Recommended Security Settings|Recommended Security Settings]]
* Restrict access to files and directories
* Block directory browsing
* Block unauthorized access to wp-config.php
* Disable PHP execution in cache directories
* Block access to sensitive files
* Forbid execution of PHP scripts in the wp-includes directory
* Forbid execution of PHP scripts in the wp-content/uploads directory
* Block access to .htaccess and .htpasswd

=== Recommended Security ===
Enact these security settings in addition to the above:[[File:Preferred-Security-Settings.png|thumb|right|alt=Preferred WordPress Toolkit Security Settings|Preferred Security Settings]]
* Configure security keys
* Disable scripts concatenation for WordPress admin panel
* Turn off pingbacks
* Change default database table prefix
* Enable bot protection
* Block access to potentially seneitive files
* Change default administrator's username

== Addon Domains ==
When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary <code>'''public_html'''</code> folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.

WordPress Setup

2022-03-27T16:53:12Z

Scott:

WordPress Setup

2022-03-27T07:21:15Z

Scott:

WordPress Setup

2022-03-27T07:20:52Z

Scott:

File:Preferred-Security-Settings.png

2022-03-27T07:15:12Z

Scott: Scott uploaded a new version of File:Preferred-Security-Settings.png

Preferred WordPress Toolkit Security Settings

WordPress Setup

2022-03-27T07:14:25Z

Scott:

File:Preferred-Security-Settings.png

2022-03-27T07:06:38Z

Scott:

Preferred WordPress Toolkit Security Settings

File:Recommended-Minimum-Security-Settings.png

2022-03-27T06:59:49Z

Scott:

Recommended Minimum WordPress Toolkit Security Settings

WordPress Setup

2022-03-27T06:55:54Z

Scott:

File:WP-Toolkit-Update-Settings.png

2022-03-27T06:53:49Z

Scott:

Update Settings

WordPress Setup

2022-03-26T23:49:47Z

Scott: Wordpress setup & security recommendations

== Recommended WPToolkit Settings ==
* Update all plugins, themes, and Wordpress Core files
* Remove all unused plugins and themes
* Enact WPToolkit recommendations (at a minimum):
** Restrict access to files and directories
** Block directory browsing(can be reverted)
** Block unauthorized access to wp-config.php(can be reverted)
** Disable PHP execution in cache directories(can be reverted)
** Block access to sensitive files(can be reverted)

== Addon Domains ==
When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary <code>'''public_html'''</code> folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.

Main Page

2022-03-26T23:38:37Z

Scott: /* Setup Tips */

Welcome to the Montebello Park Support Knowledge Base!

== Frequently Asked Questions ==
* [[FAQ]]

== Troubleshooting ==
* [[Rogue PHP Spam Scripts]]
* [[Using maldet & find]]
* More to come...

== Setup Tips ==
* [[WordPress Setup]] Recommendations
* [[ftp Settings]]
* [[.htaccess Recommendations]]
* More to come...

.htaccess Recommendations

2020-08-15T06:21:52Z

Scott: /* Resolve/Prevent auto discover.xml lookups */

Here are some recommendations for the .htaccess file in your public_html folder.

== Disable Directory Listings ==
Disabling directory listings helps hide the structure and content of your site. This can somewhat improve security and make it more difficult to take advantages of weaknesses on your site.

Insert the following into your .htaccess file:

<code>Options -Indexes</code>

== Resolve/Prevent auto discover.xml Lookups ==
===For WordPress sites===
https://mediatemple.net/community/products/dv/360029281612/troubleshooting-high-autodiscover.xml-usage

===For Non-Wordpress sites===
Insert the following lines into your <code>.htaccess</code> file:

<code><IfModule mod_rewrite.c>

RewriteEngine On

RewriteRule ^autodiscover/autodiscover.xml$ - [forbidden,last]

</IfModule>
</code>

== How to Edit .htaccess ==
* Open File Manager from cPanel
* Navigate to <code>public_html</code>.
* If the <code>.htaccess</code> is not visible, open <code>Settings</code> and select <code>Show Hidden Files (dotfiles)</code>.
* Select the <code>.htaccess</code> file and click <code>Edit</code>.

.htaccess Recommendations

2020-08-15T06:21:11Z

Scott: Created page with "Here are some recommendations for the .htaccess file in your public_html folder. == Disable Directory Listings == Disabling directory listings helps hide the structure and c..."

Here are some recommendations for the .htaccess file in your public_html folder.

== Disable Directory Listings ==
Disabling directory listings helps hide the structure and content of your site. This can somewhat improve security and make it more difficult to take advantages of weaknesses on your site.

Insert the following into your .htaccess file:

<code>Options -Indexes</code>

== Resolve/Prevent auto discover.xml lookups ==
===For WordPress sites===
https://mediatemple.net/community/products/dv/360029281612/troubleshooting-high-autodiscover.xml-usage

===For Non-Wordpress sites===
Insert the following lines into your <code>.htaccess</code> file:

<code><IfModule mod_rewrite.c>

RewriteEngine On

RewriteRule ^autodiscover/autodiscover.xml$ - [forbidden,last]

</IfModule>
</code>

== How to Edit .htaccess ==
* Open File Manager from cPanel
* Navigate to <code>public_html</code>.
* If the <code>.htaccess</code> is not visible, open <code>Settings</code> and select <code>Show Hidden Files (dotfiles)</code>.
* Select the <code>.htaccess</code> file and click <code>Edit</code>.

Main Page

2020-08-15T05:05:41Z

Scott: /* Setup Tips */

Welcome to the Montebello Park Support Knowledge Base!

== Frequently Asked Questions ==
* [[FAQ]]

== Troubleshooting ==
* [[Rogue PHP Spam Scripts]]
* [[Using maldet & find]]
* More to come...

== Setup Tips ==
* [[ftp Settings]]
* [[.htaccess Recommendations]]
* More to come...

Main Page

2020-08-15T05:05:30Z

Scott: /* Setup Tips */

Welcome to the Montebello Park Support Knowledge Base!

== Frequently Asked Questions ==
* [[FAQ]]

== Troubleshooting ==
* [[Rogue PHP Spam Scripts]]
* [[Using maldet & find]]
* More to come...

== Setup Tips ==
* [[ftp Settings]]
* [[.htaccess recommendations]]
* More to come...

FAQ

2018-09-30T22:14:40Z

Scott: Undo revision 18 by Scott (talk)

Here are some frequently asked questions. If you cannot find your answer here, please contact support at montebellopark.com.

==Start up==

==Billing==

FAQ

2018-09-30T21:54:49Z

Scott:

FAQ

2018-09-30T21:54:24Z

Scott:

{{FAQ|collapsed=no}}

If you cannot find your answer here, please contact support at montebellopark.com.

FAQ

2018-09-30T21:53:57Z

Scott: Created page with "Here are some frequently asked questions. If you cannot find your answer here, please contact support at montebellopark.com. {{FAQ|collapsed=no}}"

Here are some frequently asked questions. If you cannot find your answer here, please contact support at montebellopark.com.

{{FAQ|collapsed=no}}

Main Page

2018-09-30T21:49:43Z

Scott:

Ftp Settings

2018-09-27T02:51:16Z

Scott:

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall and cPHulk whitelists to ftp to your server. Contact support at montebellopark.com to for more information.

== Connection Settings ==
=== Standard FTP (to your domain) ===
:Protocol: FTP
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Standard FTP (to Montebello Park) ===
:Protocol: FTP
:Hostname: ftp.montebellopark.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Protocol: SFTP - SSH File Transfer Protocol
:Host: ftp.domain.com
:Port: 16969
:Username: account@domain.com
:Password: assigned password
:Maximum Connections: 5

Ftp Settings

2018-09-27T01:12:12Z

Scott: /* Standard FTP (to your host) */

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall whitelist to ftp to your server. Contact support at montebellopark.com to for more information.

== Connection Settings ==
=== Standard FTP (to your domain) ===
:Protocol: FTP
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Standard FTP (to Montebello Park) ===
:Protocol: FTP
:Hostname: ftp.montebellopark.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Protocol: SFTP - SSH File Transfer Protocol
:Host: ftp.domain.com
:Port: 16969
:Username: account@domain.com
:Password: assigned password
:Maximum Connections: 5

Ftp Settings

2018-09-27T01:05:38Z

Scott: /* Connection Settings */

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall whitelist to ftp to your server. Contact support at montebellopark.com to for more information.

== Connection Settings ==
=== Standard FTP (to your host) ===
:Protocol: FTP
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Standard FTP (to Montebello Park) ===
:Protocol: FTP
:Hostname: ftp.montebellopark.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Protocol: SFTP - SSH File Transfer Protocol
:Host: ftp.domain.com
:Port: 16969
:Username: account@domain.com
:Password: assigned password
:Maximum Connections: 5

Ftp Settings

2018-09-27T01:05:24Z

Scott: /* Connection Settings */

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall whitelist to ftp to your server. Contact support at montebellopark.com to for more information.

== Connection Settings ==
=== Standard FTP (to your host) ===
:Protocol: FTP
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Standard FTP (to Montebello Park) ===
:Protocol: FTP
:Hostname: ftp.montebellopark.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Protocol: SFTP - SSH File Transfer Protocol
:Host: ftp.domain.com
:Port: 16969
:Username: account@domain.com
:Password: assigned password
:Maximum Connections: 5

Ftp Settings

2018-09-27T01:04:12Z

Scott: /* Standard FTP */

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall whitelist to ftp to your server. Contact support at montebellopark.com to for more information.

== Connection Settings ==
=== Standard FTP (to your host) ===
:Protocol: FTP
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Protocol: SFTP - SSH File Transfer Protocol
:Host: ftp.domain.com
:Port: (contact support at montebellopark.com)
:Username: account@domain.com
:Password: assigned password
:Maximum Connections: 5

Ftp Settings

2018-09-26T23:15:31Z

Scott: Reorder Headings

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall whitelist to ftp to your server. Contact support at montebellopark.com to for more information.

== Connection Settings ==
=== Standard FTP ===
:Protocol: FTP
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Protocol: SFTP - SSH File Transfer Protocol
:Host: ftp.domain.com
:Port: (contact support at montebellopark.com)
:Username: account@domain.com
:Password: assigned password
:Maximum Connections: 5

Ftp Settings

2018-09-17T03:15:41Z

Scott:

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Connection Settings ==
=== Standard FTP ===
:Protocol: FTP
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP ''or'' Use explicit FTP over TLS if available
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Protocol: SFTP - SSH File Transfer Protocol
:Host: ftp.domain.com
:Port: (contact support at montebellopark.com)
:Username: account@domain.com
:Password: assigned password
:Maximum Connections: 5

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall whitelist to ftp to your server. Contact support at montebellopark.com to for more information.

Ftp Settings

2018-09-17T02:56:20Z

Scott: Created page with "We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your serv..."

We recommend using the CPanel File Manager to upload, edit, and manage files in your account. However, here are some recommended settings for using ftp to connect to your server.

== Connection Settings ==
=== Standard FTP ===
:Hostname: ftp.domain.com
:Port: 21
:Username: account@domain.com
:Password: assigned password
:Encryption: Plain FTP
:Transfer Mode: Passive
:Maximum Connections: 5

=== Secure FTP ===
:Host: ftp.domaindomain.com
:Port: (contact support at montebellopark.com)
:Username: account@domain.com
:Password: assigned password
:Encryption:
:Transfer Mode: Passive
:Maximum Connections: 5

== Firewall Notes ==
Due to the firewall configuration on the server, your IP will need to be added to the firewall whitelist to ftp to your server. Contact support at montebellopark.com to for more information.

Main Page

2018-09-17T02:17:05Z

Scott: /* Article Highlights */ Expanded sections

Welcome to the Montebello Park Support Knowledge Base!

== Troubleshootung ==
* [[Rogue PHP Spam Scripts]]
* [[Using maldet & find]]
* More to come...

== Setup Tips ==
* [[ftp Settings]]
* More to come...

Rogue PHP Spam Scripts

2018-03-25T00:44:09Z

Scott:

One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email, but occasionally they are mining crypto currency.

== Identification ==
Usually the SPAM variety of these scripts first shows via the mail queue or a notification of an account exceeding its hourly send limit. On occasion you will notice the email script via processor usage, but more often, that is a symptom of the crypto mining scripts. These scripts are often surprisingly smart. They usually limit themselves to a fairly reasonable amount of processor utilization to avoid detection.

== Troubleshooting ==
Once you've determined you have an infection, you need to find where the scripts are. We've found a few ways to locate the scripts in question.

=== Email Headers ===
This is the easiest and most obvious way to find the source. The email server inserts <code>X-</code> headers that provide the script location.

'''For example:'''
'''X-Mailer:''' PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
'''X-PHP-Originating-Script:''' 1010:bwqgvgbw.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
'''X-PHP-Script:''' domain.com/wp-content/gallery/government/thumbs/bwqgvgbw.php for 198.100.100.100

* <code>X-Mailer</code> describes the engine used to process the emails from the script.
* <code>X-PHP-Originating-Script</code> provides the file name of the script, in this case <code>bwqgvgbw.php</code>. This is a common type of name for these scripts. They will usually be a seemingly random set of characters. Sometimes they will be a .php script in a folder where .php files tend not to be. I've found most of the scripts that do the actual heavy lifting are about the same size as well (which is why the <code>find</code> command can be useful to find scripts that aren't yet active.
* <code>X-PHP-Script</code> provides the full path of the script. In this case it was hiding within the gallery folders in the Wordpress installation.

=== maldet ===
[https://github.com/rfxn/linux-malware-detect maldet] tends not to detect these sorts of issues, but is good to run occasionally in any case.

=== find ===
The [https://kb.iu.edu/d/admm find] command can be useful once you've identified the characteristics of your infection. You can use it to search for similar files based on type, size, and even modification date.

==== Size ====
The find command I've used to fins a particular size file is:
find /home/ -type f -ipath *.php -size 85k -exec ls -lh {} \;

This looks for '''85 K''' '''php''' files in all subdirectories of the '''home''' directory.

==== Date ====
A similar find command for dates is:
find /home/ -type f -ipath *.php -newermt 2018-01-28 ! -newermt 2018-01-29 -exec ls -lh {} \;

This looks for '''php''' files that were modified between '''2018-01-28''' and '''2018-01-29''' (really after '''2018-01-28''' but not after '''2018-01-29''') in all subdirectories of the '''home''' directory.

== Solutions ==
We recommend a multi pronged approach to remove the issue.

=== ClamAV ===
You should run this regularly anyway, but especially now. If you've been compromised by something that can upload a php script, it's probable that isn't the only thing that's been uploaded to your server.

Simply go to your cPanel and run the Virus Scanner.

=== Deleting Identified Scripts ===
Once you have identified the <code>php</code> files that are causing issues, simply delete them. I tend to just use the built in file manager in cPanel, but you can do it all via SSH or sFTP as well.

=== Change your Passwords! ===
I would change your cPanel account passwords '''and''' the Admin & user passwords for your CMS.

=== Adjusting Mail Limits ===
If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.

There are details on setting email limits on cPanel [https://documentation.cpanel.net/display/CKB/How+to+Set+Email+Send+Limits here].
* To manage domain-level limits, you must manually edit /var/cpanel/users/username.
* To manage account-level limits, set the “Maximum Hourly Email by Domain Relayed” field in the Modify an Account interface in WHM.
* To manage global limits, set the “Max hourly emails per domain” option in the Tweak Settings interface in WHM.

=== Wordpress (or other CMS) Maintenance ===
This is a great opportunity to update your Wordpress install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.

Rogue PHP Spam Scripts

2018-03-24T22:36:09Z

Scott: Created page with "One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email..."

One of the most common issues we have had here at Montebello Park are roque PHP scripts that sneak themselves into web apps such as WordPress. Usually these scripts send email, but occasionally they are mining crypto currency.

== Identification ==
Usually the SPAM variety of these scripts first shows via the mail queue or a notification of an account exceeding its hourly send limit. On occasion you will notice the email script via processor usage, but more often, that is a symptom of the crypto mining scripts. These scripts are often surprisingly smart. They usually limit themselves to a fairly reasonable amount of processor utilization to avoid detection.

== Troubleshooting ==
Once you've determined you have an infection, you need to find where the scripts are. We've found a few ways to locate the scripts in question.

=== Email Headers ===
This is the easiest and most obvious way to find the source. The email server inserts <code>X-</code> headers that provide the script location.

'''For example:'''
'''X-Mailer:''' PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
'''X-PHP-Originating-Script:''' 1010:bwqgvgbw.php(1189) : runtime-created function(1) : eval()'d code(1) : eval()'d code
'''X-PHP-Script:''' domain.com/wp-content/gallery/government/thumbs/bwqgvgbw.php for 198.100.100.100

* <code>X-Mailer</code> describes the engine used to process the emails from the script.
* <code>X-PHP-Originating-Script</code> provides the file name of the script, in this case <code>bwqgvgbw.php</code>. This is a common type of name for these scripts. They will usually be a seemingly random set of characters. Sometimes they will be a .php script in a folder where .php files tend not to be. I've found most of the scripts that do the actual heavy lifting are about the same size as well (which is why the <code>find</code> command can be useful to find scripts that aren't yet active.
* <code>X-PHP-Script</code> provides the full path of the script. In this case it was hiding within the gallery folders in the Wordpress installation.

=== maldet ===
[https://github.com/rfxn/linux-malware-detect maldet] tends not to detect these sorts of issues, but is good to run occasionally in any case.

=== find ===
The [https://kb.iu.edu/d/admm find] command can be useful once you've identified the characteristics of your infection. You can use it to search for similar files based on type, size, and even modification date.

==== Size ====
The find command I've used to fins a particular size file is:
find /home/ -type f -ipath *.php -size 85k -exec ls -lh {} \;

This looks for '''85 K''' '''php''' files in all subdirectories of the '''home''' directory.

==== Date ====
A similar find command for dates is:
find /home/ -type f -ipath *.php -newermt 2018-01-28 ! -newermt 2018-01-29 -exec ls -lh {} \;

This looks for '''php''' files that were modified between '''2018-01-28''' and '''2018-01-29''' (really after '''2018-01-28''' but not after '''2018-01-29''') in all subdirectories of the '''home''' directory.

== Solutions ==
We recommend a multi pronged approach to remove the issue.

=== ClamAV ===
You should run this regularly anyway, but especially now. If you've been compromised by something that can upload a php script, it's probable that isn't the only thing that's been uploaded to your server.

Simply go to your cPanel and run the Virus Scanner.

=== Deleting Identified Scripts ===
Once you have identified the <code>php</code> files that are causing issues, simply delete them. I tend to just use the built in file manager in cPanel, but you can do it all via SSH or sFTP as well.

=== Change your Passwords! ===
I would change your cPanel account passwords '''and''' the Admin & user passwords for your CMS.

=== Adjusting Mail Limits ===
If you use mail from a third party such as Google or Microsoft and don't have any contact forms on your website that use email, you can crank down your email send limits. While this won't prevent re-infection, it will alert you sooner when it occurs.

=== Wordpress (or other CMS) Maintenance ===
This is a great opportunity to update your Wordpress install. I also recommend updating any plugins and themes you use, and removing those you don't. This will hopefully close whatever security holes may have existed and the fewer directories you have nested in your Wordpress install the harder it is for things to hide.

Main Page

2018-03-24T20:34:32Z

Scott:

Welcome to the Montebello Park Support Knowledge Base!

== Article Highlights ==
* [[Rogue PHP Spam Scripts]]
* [[Using maldet & find]]
* More to come...

Montebello Park Hosting Support:About

2018-03-24T19:50:50Z

Scott:

This [https://en.wikipedia.org/wiki/Wiki wiki] is intended for use by those supporting sites hosted by [https://www.montebellopark.com/ Montebello Park]. We started it as a knowledge base to help us out internally as issues arose.

Montebello Park Hosting Support:About

2018-03-24T19:50:23Z

Scott: Created page with "This [https://en.wikipedia.org/wiki/Wiki Wiki] is intended for use by those supporting sites hosted by [https://www.montebellopark.com/ Montebello Park]. We started it as a kn..."

This [https://en.wikipedia.org/wiki/Wiki Wiki] is intended for use by those supporting sites hosted by [https://www.montebellopark.com/ Montebello Park]. We started it as a knowledge base to help us out internally as issues arose.