File Permissions and security - Help needed

#1
Hi everyone,
I am new here but it looks like I am going to be an active member of the community since it is my first time dealing with OLS.
The company I work for acquired a web design agency and their servers. One of them is a CentOS 8 with OLS 1.7.16 installed. It hosts 30 websites approximately and all of them have symptoms of being hacked... I enabled per client throttling and reCaptcha at the virtual host level to try to stop so many requests I see in the access.log of every single virtual host.

Here is an example of what I see in every access.log file:
Code:
172.68.50.230 - - [17/Jan/2023:13:24:21 +0000] "GET /?s=%E3%80%90%E5%9C%A8%E5%BA%AB%E3%81%82%E3%82%8A%E3%80%91YONEX-%E6%97%A9%E5%89%B2%E3%82%AF%E3%83%BC%E3%83%9D%E3%83%B3%EF%BC%81%E3%83%A8%E3%83%8D%E3%83%83%E3%82%AF%E3%82%B9-Ezone-%E8%B6%85%E6%A0%BC%E5%AE%89%E4%BE%A1%E6%A0%BC98-%E3%83%A9%E3%82%B1%E3%83%83%E3%83%88-%E3%83%86%E3%83%8B%E3%82%B9Bo.670f6 HTTP/1.1" 200 15350 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"
172.68.50.231 - - [17/Jan/2023:13:24:56 +0000] "GET /?s=%E3%80%90%E5%9C%A8%E5%BA%AB%E3%81%82%E3%82%8A%E3%80%91kik%E6%A7%98%E5%B0%82%E7%94%A8%E3%83%9A%E3%83%BC%E3%82%B8-%E4%BA%BA%E6%B0%97No.1-%E5%85%A5%E8%8D%B7%E4%B8%ADBo.726dd2 HTTP/1.1" 200 15204 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"
172.68.50.230 - - [17/Jan/2023:13:25:22 +0000] "GET /?s=%E3%80%90%E5%9C%A8%E5%BA%AB%E3%81%82%E3%82%8A%E3%80%91mema%E3%81%95%E3%81%BE-%E6%97%A5%E6%9C%AC%E5%88%9D%E3%81%AE-%E5%B9%B4%E6%9C%AB%E3%81%AE%E3%83%97%E3%83%AD%E3%83%A2%E3%83%BC%E3%82%B7%E3%83%A7%E3%83%B3%E7%89%B9%E4%BE%A1%EF%BC%81Bo.115e50c HTTP/1.1" 200 15285 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"
172.69.134.98 - - [17/Jan/2023:13:25:22 +0000] "POST /wp-cron.php?doing_wp_cron=1673961922.9558351039886474609375 HTTP/1.1" 200 - "https://censoredwebsitedomain.com/wp-cron.php?doing_wp_cron=1673961922.9558351039886474609375" "WordPress/5.8.4; https://censoredwebsitedomain.com"
172.68.50.231 - - [17/Jan/2023:13:25:47 +0000] "GET /?s=%E3%80%90%E5%9C%A8%E5%BA%AB%E3%81%82%E3%82%8A%E3%80%91mtg-%E3%80%90%E6%A5%BD%E5%A4%A9%E3%82%B9%E3%83%BC%E3%83%91%E3%83%BC%E3%82%BB%E3%83%BC%E3%83%AB%E3%80%91%E6%84%8F%E5%BF%97%E3%81%AE%E5%8A%9B-%E5%8F%AF%E6%84%9B%E3%81%84%E3%82%AF%E3%83%AA%E3%82%B9%E3%83%9E%E3%82%B9%E3%83%84%E3%83%AA%E3%83%BC%E3%82%84%E3%82%AE%E3%83%95%E3%83%88%E3%81%8C%EF%BC%81foil-%E6%97%A5%E6%9C%AC%E8%AA%9E%E7%89%88-PSA-MINT9Bo.f799ab HTTP/1.1" 200 15435 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"
As you can see, they are trying every second and that is just an example of 5 requests, there are thousands... This has been successful in changing the .htaccess file permissions and wp-config of some Wordpress websites. So, basically website and database are compromised.

I see that this is a shared hosting environment and all the Wordpress websites present the same symptoms... The owner of every virtual host html folder is nobody:nobody, which I feel is wrong but I have no idea about which user should read PHP files on OLS. PHP files also have nobody:nobody as owner, see attached screenshot... I read about suEXEC but I have no idea what it is or how to set it up in this environment. I would love to know the most secure way to set this up to avoid these attacks.
I would really appreciate any help.
Thank you.
Best,
Matt.
 

Attachments

#2
UPDATE: Since I was pretty sure the file permissions were wrong I changed the virtual host html folder and all the files and directories below to root:nobody ownership. I don't know if this is the best practice having a shared hosting environment in a VPS but I am waiting to hear from some of you more experienced than me in this regard.
Thank you.
 
#3
UPDATE2: I was able to understand and configure suExec on the server. It still wasn't working but I was getting a clear error on the server error log that lead me to solve it (wrong user $VH_USER). I sent a message to LiteSpeed support to see if somebody could confirm folder permissions and they sent me a video. It helped and now I have everything working as it should. I hope this helps somebody else trying to figure out suExec on a shared hosting:

Thank you everybody, even though this was a monologue. Lol
 
Top