Server & Security Expert Needed (WHM / cPanel Environment)

A luxury healthcare group operating 25+ WordPress websites from a single Hetzner dedicated server discovered active malware on two of their domains. The engagement covered incident response, full server forensic audit, malware eradication, credential rotation, server hardening, and ongoing daily monitoring. Server scope: 27 cPanel accounts, 21 active WordPress installations, 1.8TB disk, 125GB RAM, CloudLinux with LiteSpeed, Redis, Memcached. THE PROBLEM =========== The client reported suspicious activity on balancerehabclinic.uk where Google search results were showing Turkish gambling content (Jojobet) instead of the legitimate healthcare site. Initial investigation revealed a sophisticated SEO spam attack with bot cloaking -- the site appeared normal to human visitors but served gambling pages to search engine crawlers. Further investigation uncovered a deeper compromise: the attacker had root-level server access and had been operating across multiple sites.

DISCOVERY & INVESTIGATION ========================== Phase 1: Initial Triage ------------------------ - Identified SEO spam injection on balancerehabclinic.uk (TBUK) - Found 4 malicious files: wp-plugin.php (23KB Jojobet gambling page), clr.php (443-line Turkish cache purger), infected index.php with Googlebot cloaking, and .htaccess with bot redirect rules - Determined attack was specifically targeting search engine crawlers using user-agent detection (cloaking technique) Phase 2: Root Cause Analysis ----------------------------- - Discovered unauthorized SSH key in /root/.ssh/authorized_keys: "initsky@initskys-MacBook-Air.local" -- this was the primary attack vector giving the attacker FULL ROOT ACCESS to the server - Found a second unnamed unauthorized SSH key - Identified attacker group as "TEAM ABJ" (#TEAM ABJ 2022), an Indonesian hacking group, based on Indonesian-language comments in their backdoor tool ("Hapus file ini setelah penggunaan") Phase 3: Scope Assessment -------------------------- - Discovered a WordPress admin creator backdoor (wordpress.php) on balancerehabclinic.es (TBES) -- a PHP tool titled "TEAM ABJ" that creates administrator accounts on demand - Found rogue admin user "devadmin" (ID:16) created via the backdoor on 25 March at 01:22 UTC with no email address set - Apache access logs showed Installatron (cPanel's auto-installer) was used at 26 March 01:58 from the server's own IP to execute scripts on TBUK -- confirming root-level server manipulation - Server logs showed 15+ reboots between March 23-25, suggesting the attacker was testing persistence mechanisms Phase 4: Server-Wide Forensic Scan ------------------------------------ - Scanned all 27 cPanel accounts for malware, backdoors, and rogue database entries - Discovered Imunify360 had already detected and cleaned 20+ malware items on ptsdinfo.org including: * Haxor CGI backdoors (bash, perl, python shells) * PHP uploaders and webshells (Alfa shell) * Gambling spam HTML doorway pages * Malicious .htaccess redirect rules - Found malware persistence tokens on ptsdinfo: * .config/.proc/defuncts.dat (haxor backdoor auth token) * .config/htop/defunct.dat (disguised as htop configuration) - WordPress core integrity check on ptsdinfo showed modified files Phase 5: Theme Security Audit ------------------------------- - Deep code audit of the "recore" theme (active on 15+ sites) revealed CRITICAL vulnerabilities: * Bundled PHPMailer 5.x from ~2012 with known RCE exploits (CVE-2016-10033, CVE-2016-10045, CVE-2017-5223) * Unauthenticated form-handler.php with no CSRF protection, accepting file uploads without validation * Commented-out SMTP credentials (noreply@tutmee.ru) in source * Unsanitized $_GET input in template-glossary.php - Audited the "balance" theme (thebalance.clinic main site) and confirmed it was properly secured with nonce verification, rate limiting, honeypot fields, and input sanitization

REMEDIATION =========== Phase 1: Immediate Threat Removal (Day 1) ------------------------------------------- [x] Deleted wordpress.php backdoor from TBES [x] Deleted rogue "devadmin" user and usermeta from tbes_wp1 database [x] Deleted wp-plugin.php (Jojobet spam) from TBUK [x] Deleted clr.php (cache purger) from TBUK [x] Restored clean index.php on TBUK [x] Removed bot-redirect rules from .htaccess on TBUK [x] Removed both unauthorized SSH keys from root [x] Deduplicated authorized_keys to 1 clean audit key Phase 2: Deep Clean & Forensics (Day 1) ----------------------------------------- [x] Deep scan and clean of ptsdinfo.org: - Deleted malware persistence tokens - Reinstalled WordPress core (fixed checksum integrity) - Verified Imunify360 cleanup complete [x] Server-wide malware token scan -- ALL CLEAR [x] Server-wide rogue WP admin user check -- ALL CLEAR [x] Server-wide /tmp suspicious file check -- ALL CLEAR [x] Server-wide SSH authorized_keys audit -- CLEAN (1 key only) [x] Server-wide world-writable files check -- ALL CLEAR [x] Server-wide SETUID files check in /home -- ALL CLEAR [x] Server-wide non-standard PHP in site roots -- ALL CLEAR [x] WordPress core integrity verified on all 21 sites Phase 3: Credential Rotation (Day 1) -------------------------------------- [x] Changed all 22 active cPanel account passwords (unique strong random passwords per account) [x] Changed all 43 WordPress user passwords across 19 sites (unique per user per site -- 4 users: abdullah, MOhsen, Mirella, Omar) [x] Password files securely delivered and deleted from server Phase 4: Server Hardening (Day 1) ----------------------------------- [x] Enabled CSF Firewall v16.12 (975 iptables rules) - FTP ports 20/21 removed from all rules (TCP/UDP, IPv4/IPv6) - Testing mode disabled (firewall permanent) - Config backed up before changes [x] Disabled FTP server-wide: - pure-ftpd: stopped, disabled, masked (systemd) - WHM Service Manager: monitoring off - Port 21 verified closed - SFTP backups to Hetzner Storage Box verified working [x] Disabled LFD (Imunify360 handles brute force via CSF integration) [x] Blocked xmlrpc.php on all 23 sites via .htaccess (backed up originals as .htaccess.pre-xmlrpc-block) Phase 5: Attack Surface Reduction (Day 1) ------------------------------------------- [x] Deleted readme.html from all 21 sites (WP version disclosure) [x] Deleted phpinfo-imagick.php (phpinfo exposure) [x] Deleted hidden marker file "..." (hacker breadcrumb) [x] Moved wp-cli.phar out of public_html [x] Deleted error_log and debug.log files (150+ files server-wide) [x] Deleted domain verification .txt files from 19 sites [x] Deleted stray .htaccess from wp-includes across 14 sites [x] Deleted .php.tar backup files from recore theme dirs (7 files) Phase 6: Ongoing Monitoring (Day 2+) -------------------------------------- [x] Established daily server status checks covering: - SSH authorized_keys integrity - Login attempts (successful and failed) - File changes in themes, plugins, and site roots - Imunify360 detection feed - Cron job integrity (MD5 hash tracking) - Rogue WordPress user scans - Suspicious files in /tmp and uploads - World-writable file checks - Backdoor pattern scans RESULTS ======= Immediate: - All malware removed within hours of discovery - Zero downtime -- all 25+ sites remained live throughout - All 65 credentials rotated (22 cPanel + 43 WordPress) - Root-level attacker access eliminated - Server attack surface significantly reduced Ongoing (as of March 28): - 2 consecutive days of clean daily status checks - No new Imunify360 detections since cleanup - No unauthorized SSH access attempts - No rogue WordPress users - No suspicious file changes - Server health stable (load 0.32, disk improved from 88% to 78%) ITEMS HANDED TO CLIENT ====================== The following actions require client involvement and remain pending: 1. DELETE RECORE THEME (CRITICAL) Still active on 2 sites: balancerehabclinic.de and thebalance.center. Contains RCE vulnerability via bundled PHPMailer from 2012. Client must switch to a different theme and delete recore from these sites. 2. HARDEN SSH CONFIG (HIGH) Restrict PermitRootLogin, disable PasswordAuthentication, enforce modern ciphers and timeouts. Requires coordination to ensure continued access. 3. UNIQUE LOGIN URLs (HIGH) All 25+ sites share the same hidden login URL "/fabou". Each site should have a unique URL to prevent credential stuffing across sites. 4. ENABLE 2FA (HIGH) Two-factor authentication should be enabled on all WordPress admin accounts (abdullah, MOhsen, Mirella, Omar). 5. DISALLOW_FILE_EDIT (MEDIUM) Add define('DISALLOW_FILE_EDIT', true) to wp-config.php on all sites to prevent theme/plugin editing from WP dashboard. 6. GOOGLE RE-CRAWL (MEDIUM) Request Google Search Console re-crawl of balancerehabclinic.uk to clear cached Jojobet gambling spam from search results.