Malicious php script keeps coming back.

dmacomber

• November 12, 2014 06:34

Hi, I have a malicious script /home/MySite/public_html/sites/all/modules/references/menu87.php that sends out spam from a non-existent email address from my domain. I delete it and a few days later, its back sending out spam. I have no idea how to make it stop coming back. Can anyone help? I have WHM and cPanel access. D-

• 

  quizknows

  • November 12, 2014 18:36

  You need to take the timestamps of the file (stat command on the file, i.e. stat file.php) and then reference those to the log files. In most cases, your answer lies in the Apache domain access logs in /home/user/access_logs or /home/user/logs if you have log retention enabled. Most likely there is a vulnerable plugin, or other unwanted php file, being used to re-upload the one your finding. Until you find that it will keep coming back.

  0
• 

  dmacomber

  • November 12, 2014 19:42

  Quizknows, Thanks for the info. I found over 800 entries for November in the log for the PHP script from the same IP. I couldn't get the stat for the file since I deleted it. I guess I could block the IP. Is there any thing else I should look for?
  146.185.X.X - - [12/Nov/2014:07:15:22 -0500] "POST /sites/all/modules/references/menu87.php HTTP/1.1" 404 29365 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
  

  0
• 

  Brian

  • November 12, 2014 19:55

  Blocking the IP would simply be addressing the symptom (the file existing), and not the cause (how the file is getting there). Basically, if you block the IP than anyone else can still leverage whatever the exploit is that's being used and put it or any other file back in place. You need to determine the *how*. What script vulnerability or software vulnerability exists that is allowing someone to deploy a custom script in your directory? This is a tough question to answer, especially when you realize that someone with that level of access could have also deployed their own backdoor that you don't know about into your account. Meaning, if you DO somehow find and fix the origin exploit, they may have their own backdoor so that they can still continue to exploit your account unaffected. The "ideal" situation that I tend to recommend to anyone experiencing this behavior is to start fresh with brand new installs of whatever scripts are on your account. Setup a new fresh account, deploy NEW installs of scripts on it again (WordPress, phpBB, etc. Whatever you're using) and restore from known good MySQL backups of those scripts. Then, make sure all scripts are up-to-date and security patched. Do NOT pull forward any files from the old account, as you risk bringing forward the vulnerabilities or potential backdoors. It's certainly less time consuming than trying to trace back through to the precise code block(s) of whatever script(s) are being abused, and you also reasonably address the risk of bringing forward any backdoors. it does, however, require a decent amount of time and effort. I know this may not be the answer you're looking for, but keep in mind every day this goes unaddressed is a day that potentially 100% of your data in that account is wide open to being accessed by one or more persons. Keeping all of your scripts updated and security patched along with the versions of Apache and PHP that you operate is your best bet to prevent this from happening again (once you perform all the fresh install/deployments to address the matter).

  0

Please sign in to leave a comment.