prasathmani
MALWARE ALERT: After start using tinyfilemanager all my Wordpress websites on same host were invaded
As title describes, all my 10 Wordpress websites in same host had shown a user called wpadminerlzp, a lot of cryptic files inside folders, a new htaccess inside all folders...
These and a million other SUSPECT FILES appeared inside my Wordpress installations after tinyfilemanager
Content from suspect .htaccess:
<FilesMatch ".(py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
@FelipeGlauber ,
We're sorry to hear about the issues you're experiencing, but it's important to clarify that this situation is not caused by TinyFileManager itself. TinyFileManager is a lightweight, open-source file manager intended to be used responsibly by server administrators. It does not contain any malware or tracking functionality.
If your websites were compromised, we recommend checking the following:
Source of Installation: Did you download TinyFileManager from the official GitHub repository? Using modified versions from unofficial sources can pose serious security risks.
Authentication Configuration: Did you change the default username and password? Using weak or default credentials can leave your server exposed.
Server Exposure: Was TinyFileManager accessible publicly without proper access restrictions (e.g., behind a login or firewall)? Publicly exposing admin tools can be dangerous if not secured properly.
TinyFileManager does not make external connections and has no way to "invade" other websites or servers. It’s simply a tool to interact with the file system on your server. If multiple WordPress sites were affected, it's more likely that the server itself was compromised through another vector.
We recommend thoroughly auditing your server for vulnerabilities, checking server logs, updating all software, and ensuring your hosting environment is secure.
Thank you, @prasathmani.
Sorry for inconvenience. I'll check all your recommendations and retry TFM again in another ambient.
Before TFM, I was using completely exposed Halgate's solution as a clean file server and never happened nothing strange with my parallel WP installations.
I replaced it by TFM because wanted to add simple login and these strange files started to pop inside my server.
Thank you again, I'll check your tips.
Apply auth to the WebUI with reverse proxy. User can be authenticated before they can access TFM UI.
@FelipeGlauber Hello I am sorry to hear about the annoyıng issue. I want to ask something. How did the attackers first add their files? Do you have any idea? SQL Injection, file traversal because of the tfm or something else? I might be because of a laravel vulnerability? My friend also have this issue and we couldn't find the reason of the very first attack actually! And they were not using TFM. Thank you
