Results 1 to 12 of 12
  1. #1
    Join Date
    Jun 2002
    Posts
    1,682

    {HEX}php.cmdshell.cih.218 in wordpress files

    Running maldet in the folder of my server returned the following warning
    however after running those files I couldnīt identify what is exactly the code considered dangerous
    has anybody faced a similar situation before?

    NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 093014-1551.527547
    FILE HIT LIST:
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp-content/plugins/wp_config/mod_system.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp-content/plugins/wp_sed/mod_system.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp-content/themes/default/404.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp/pack.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp/mysql_class.php

  2. #2
    Join Date
    Oct 2004
    Location
    Germany
    Posts
    356
    Could be false positives, which I really doubt when maldet detects them as cmdshell. You should definitely quarantine them and check if there are further files that weren't detected. There are many malicious files that maldet fails to catch, especially those that are custom or encoded.

    I wouldn't be surprised if you'd find other malicious files distributed across other sub-folders. To make sure that there aren't any backdoors left, you should restore the respective account(s) from a clean backup.

    Also, you should never try to open those files on a live server. You should at most check the source code, preferably in a sandboxed environment.
    MaxterHostsimply different.
    cPanel Shared Hosting, WHM Reseller Accounts, Managed/Self-Managed VPS Hosting and more
    17+ Years of Experience | Enhanced Security | 24x7 Support | 100% Uptime SLA

    Pure SSD Hosting

  3. #3
    Quote Originally Posted by albatroz View Post
    Running maldet in the folder of my server returned the following warning
    however after running those files I couldnīt identify what is exactly the code considered dangerous
    has anybody faced a similar situation before?

    NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 093014-1551.527547
    FILE HIT LIST:
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp-content/plugins/wp_config/mod_system.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp-content/plugins/wp_sed/mod_system.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp-content/themes/default/404.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp/pack.php
    {HEX}php.cmdshell.cih.218 : /home/username/public_html/wp/mysql_class.php
    I'd like to know what's in the source code of those files.. I'd replace them with fresh files or if you don't need them delete them.
    Mrgeekchris.com ~ It's not just a job It's a passion
    "Mistakes are proof that you are trying"

  4. #4
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    False-positives? In a bunch of WordPress plugin and theme folders?

    No.

    Guarantee when you look at the content it's going to be chopped all to hell. How long between your last maldetect and the one you ran today? Might be easier just to grab a backup and take the clean slate route....

  5. #5
    @albatroz

    Are those files recently uploaded? If so, how was it uploaded (FTP/ControlPanel)? Was any other file uploaded by the same IP?

    Locating the behavior of the uploader will give you a clue on whether the upload was malicious.

    As @jetfirenetworks said, the safer route is to just restore from backup.

  6. #6
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    I have seen many times the "/wp_sed/mod_system.php" script on infected WP lately.
    It was always the (un)famous 'FilesMan' shell script.
    Can you post the first 10 lines of code of that file ?
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  7. #7
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Quote Originally Posted by khunj View Post
    Can you post the first 10 lines of code of that file ?
    Or not.

    The malware could be in a single line anywhere in that file. Screenshots are just as effective.

  8. #8
    Join Date
    Jun 2002
    Posts
    1,682
    Hello,
    Thank you for your replies.
    This is a screenshot with what appears to be part of the infected code.

    http://www.webhostingtalk.com/attach...1&d=1413132662
    Attached Thumbnails Attached Thumbnails Screenshot 2014-10-12 11.21.14.png  
    Last edited by bear; 10-13-2014 at 08:48 AM.

  9. #9
    It definitely looks like a bot.

    I'd recommend securing your web server with a WAF like mod_sec+Comodo, and your FTP and Control Panel with CXS + ClamAV.

  10. #10
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Quote Originally Posted by VisakhBC View Post
    It definitely looks like a bot.

    I'd recommend securing your web server with a WAF like mod_sec+Comodo, and your FTP and Control Panel with CXS + ClamAV.
    Doo, doo, doooo, lookin' out my backdoor...

    Judging by the sophomoric "1337" bind port example in the back connect, it looks like the work of a skid, and it's probably part of something like an old c99/c100 shell that found it's way to an outdated/unhardened web server. I've attached an example. The backconnect binds to a specific port and drops a shell which attackers (skids) can use to execute commands, browse through your file system, symlink Apache, etc., just as if they were using the CLI. If it were me, I'd probably wipe the entire box and reload, assuming that you can't always catch everything that's been left behind and running the risk of another, possibly more severe compromise. These things can come back to haunt you and it's just not worth the risk. Would also suggest far more intensive hardening of your PHP config next time around. Good luck.
    Attached Thumbnails Attached Thumbnails bdexample.jpg  

  11. #11
    Quote Originally Posted by jetfirenetworks View Post
    it's probably part of something like an old c99/c100 shell that found it's way to an outdated/unhardened web server. I've attached an example. The backconnect binds to a specific port and drops a shell which attackers (skids) can use to execute commands, browse through your file system, symlink Apache, etc., just as if they were using the CLI.
    Yes, $back_connect_p showed that its trying to establish a port opening which the attacker can access.

    And yes, its the WSO 2.7 404 Error Web Shell posted at Madleets.com. It'll allow someone to execute commands via /bin/sh, but only if the server isnt adequately hardened.

    If your server has something like SuPHP, SymLink protection, and is updated regularly, the shell is not likely not to have much of an impact.


    Quote Originally Posted by jetfirenetworks View Post
    If it were me, I'd probably wipe the entire box and reload, assuming that you can't always catch everything that's been left behind and running the risk of another, possibly more severe compromise. These things can come back to haunt you and it's just not worth the risk. Would also suggest far more intensive hardening of your PHP config next time around. Good luck.
    If its just a few sites, maybe reloading is fine, but if its a shared server, I'd suggest you get someone to look into your box to see if there's chance for a root compromise. If not, just cleaning out as per Maldet/ClamAV+SaneSecurity/CXS results and installing mod_security should be good enough.

  12. #12
    I think this thread should be posted in "Security" section instead of "Vulnerabilities" section.

Similar Threads

  1. WordPress Files
    By Casterina in forum Web Hosting
    Replies: 5
    Last Post: 06-08-2012, 08:03 AM
  2. PHP script to convert Video files to Flash files
    By DelPierro in forum Programming Discussion
    Replies: 12
    Last Post: 02-02-2011, 03:22 AM
  3. I need PHP code for search by HTML HEX codes.
    By jeremed in forum Employment / Job Offers
    Replies: 1
    Last Post: 05-17-2010, 09:39 PM
  4. Files downloaded files with errors from php script
    By Blueheaven in forum Programming Discussion
    Replies: 2
    Last Post: 08-24-2005, 09:52 PM
  5. Saving Dynamic PHP files as static files?
    By kenfused in forum Programming Discussion
    Replies: 5
    Last Post: 07-29-2003, 09:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •