14

My website has been hacked lately and it has been defaced. Now I have weird files, don't know where they coming from. I just want to know, what of these files are harmful or can cause that I get hacked again.

The .htaccess contains the following code:

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 121.54.58.159

The file .wysiwygPro_preview_eacf331f0ffc35d4b482f1d15a887d3b.php contains the following code:

// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);

?>
Giacomo1968
  • 1,185
  • 5
  • 16
winona
  • 251
  • 2
  • 5
  • FWIW, someone on StackOverflow seems to be victim of a similar attack. http://stackoverflow.com/questions/23452892/what-is-this-file-in-htaccess/23452940#23452940 – Giacomo1968 May 04 '14 at 05:36

6 Answers6

17

What is that?

The PHP file is a XSS backdoor. It allows the attacker to provide any HTML with JavaScript in the context of your site. This allows him access to cookies set by your site.

An attacker will trick a victim to do a POST request to that file with the malicious code in the wproPreviewHTML variable. If that user has special permissions on your side e. g. because he is logged in, the attacker will be able to do anything, that use can do.

The forbidden error may be suspicious, too. Some malicious software tries to hide in the error document. As the error documents are usually outside the document root folder for the normal web pages, there is quite a high chance for such modifications to be unnoticed.

What to do now?

You need to setup your server from scratch, as you cannot know the complete impact of the manipulation. It is likely that there is a backdoor hidden somewhere. Do not copy any program files (including scripts and php files) from the compromised server to the new one.

Further more there are some malicious programs for desktop computers, which manipulate php files during upload via FTP or SFTP.

Mark
  • 34,390
  • 9
  • 85
  • 134
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • can you provide more details on the backdoor? Is it intended to be malicious, or is it being improperly used? – schroeder Dec 13 '11 at 16:17
  • 2
    @schroeder, the XSS backdoor is malicious. The exploit tries to hide it as a programming mistake. But as this file is created by the attacker and has no other purpose at all, it is safe to assume, malicious intent. There is too little information on how the attacker got access to the server and what server level backdoors he left. – Hendrik Brummermann Dec 13 '11 at 18:36
  • 1
    While the wysiwygPro file is technically an XSS backdoor, most likely it's not something planted by the defacer, but a leftover from a cpanel in-browser file editor like @ChrisDavis noticed in his answer. It should be deleted though. – Krzysztof Kotowicz Jan 03 '12 at 15:10
  • @KrzysztofKotowicz - I would trust Krzysztof Kotowicz view on the matter before somebody with 21 reputation points and a single answer on this site. – Ramhound Jan 03 '12 at 15:53
6

Website been hacked? Follow this checklist:

  • Remove ALL files from the server and restore from a "known good" backup. If no such backup exists, reinstall from source and import only your data, not any of the program (e.g. PHP) files.

  • Change all your passwords. Including:

    • FTP password

    • Database passwords

    • site admin passwords.

  • Disable any unnecesary plugins, modules, etc.

  • Remove any unused software (e.g. that blog that you never use, or that database admin tool that you used only once)

  • Update all the web software you use (e.g. Joomla, wordpress, etc.) as well as any remaining plugins and modules to the very latest version.

  • Update your system software components to the latest version. (e.g. apt-get update && apt-get upgrade or yum update)

  • Enabling automatic updating where possible.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • no reason to assume that restoring data is safe. e.g. stored xss vectors, or other malicious instructions could be present. – Cheekysoft Dec 14 '11 at 15:23
  • @Cheekysoft true, however without the data you just have an empty site. Obviously if you can re-create the entire site from memory then that's preferable... but unlikely. – tylerl Dec 14 '11 at 18:31
5

Strongly consider using operating system controls to provide an extra layer of control and auditing on top of your webserver.

Do also take the time to read all the answers on that question.

Community
  • 1
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
4

This file .wysiwygPro_preview_eacf331f0ffc35d4b482f1d15a887d3b.php is not a backdoor to be worried about. It is created by the cpanel file manager whenever you use the built in html editor in the file manager of cpanel.

The files should be deleted though if they are left behind by the editor.

Community
  • 1
Chris Davis
  • 49
  • 1
  • 1
    The content of that file, as posted by winona, contains a XSS vulnerability. Do you know if recent versions of that application still create that file? Might be a good idea to open a bug report with the vendor. – Hendrik Brummermann Jan 03 '12 at 15:52
  • @Chris Davis - Do you have any evidence besides your word that this file isn't malicious? I wouldn't trust a user with so little reputation, and a clear inability to communicate, and provided no proof. If I had the reputation to downvote this answer I would. – Ramhound Jan 03 '12 at 15:56
  • If created by cpanel that the user is using, that would be a relief in that it doesn't indicate the server was compromised. It is wrong to say that is nothing to be worried about even if it was created by legitimate software, however. That is an ugly piece 'o XSS harboring code. For that, my vote is currently +/- 0. – Jeff Ferland Jan 03 '12 at 16:07
  • 2
    According to the question, the website was defaced. So the system was compromised. I think it is a minor point, whether it was this vulnerability or another one, that the attacker used. And whether the file was created by insecure software or left by the attacker. But in the insecure-software-case, it will be a good idea to verify, if the issue still exists in the most recent version, and open a bug report. – Hendrik Brummermann Jan 03 '12 at 16:29
  • If I were the author I would make sure I had the current version of cpanel installed. If its shared hosting I would accept the risk that comes with shared hosting. – Ramhound Jan 03 '12 at 20:11
  • I added the link to similar issue users have with cPanel. Can't verify with the vendor as cPanel is closed source, but it looks like a common issue. – Krzysztof Kotowicz Jan 03 '12 at 20:53
  • @KrzysztofKotowicz - Unless you have a link that cPanel confirms its a bug, then I one cannot the trust the mob, many people run insecure servers. – Ramhound Jan 04 '12 at 16:22
  • 1
    +1 - Tested on Hostgator with a newly created CPanel account, I'm have a reseller account so I could easily create and delete accounts. And by the way, there was also a .smileys folder with a bunch of icons that was created after I started the HTML editor. Nothing to worry about. – Nabil Kadimi Jan 31 '13 at 22:20
2

As Chris Davis answered, the PHP file is not a malicious backdoor; it is created by the cPanel file manager WYSIWYG editor and it is extremely unlikely that the file has anything to do with the site being defaced.

This is not nearly as insecure as it looks in the original post. The file name is a long random string and another long random string needs to be passed to it to do anything. That string gets updated every time the editor saves. The rest of the file looks something like this:

<?php
if ($_GET['randomId'] != "AYEPENANR_zMBVyKHKQAYv6UF6nPMY5xV6iFIvaOQTTw0lLpE1O2SH0ZzoSfvUuY") {
    echo "Access Denied";
    exit();
}

// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);

?>
Billy
  • 21
  • 2
-1

It is not definitely malware.

At least, not in the sense it's intended for malicious reasons...

In the case you are using cpanel and you have used its IP Deny Manager to block access to 121.54.58.159 then this will automatically be written to your .htaccess file with the intended purpose of blocking that IP (and any others you may wish to enter):

<Files 403.shtml>
order allow, deny
allow from all
</Files>

deny from 121.54.58.159

Do you use cpanel and if so, do you remember doing that?

Magpie
  • 153
  • 1
  • 6
  • This answer, while maybe correct, doesn't actually say anything that previous answers haven't already said. Further, previous answers were over two years ago. – Chris Murray Dec 16 '14 at 16:52
  • @ChrisMurray I considered that before posting because the bbm answer is fairly close to mine. I thought about editing it at first, but on balance it is as incorrect to assume that cpanel added this text it is to attribute its presence to malware. So essentially, I don't agree that any of the other answers are correct. – Magpie Dec 16 '14 at 17:37