0

I have an AWS server running Windows 2016 Datacenter. From the past few days, Windows Defender has been reporting Trojan:PHP/Obfuse.AR!MSR pointing to random phpXXXX.tmp files inside C:\Windows\Temp folder.

I checked there are many files of that type in the temp folder but only 2-3 are reported by Windows Defender as infected. I tried opening these files (after downloading to local PC) in notepad and found they have some HTML & PHP code, primarily a form with file input.

I tried searching for this on Google and some articles suggested that these are hack attempts.

The only reason I have PHP enabled on Windows Server is because we need to run a WordPress site. The CPU and RAM usage on server has also increased over the last 10-15 days. It used to stay below 10% but now it varies between 30-40% with Windows Defender being the highest contributor.

Is this bad? What steps should I take to investigate further and secure the server?

Any directions would be helpful. Unfortunately, we cannot afford to engage a professional to look into this matter.

Prashant Gupta
  • 193
  • 1
  • 10
  • It seems your server has been compromised and you need to set it up again from clean backups. – Tero Kilkanen Feb 05 '21 at 15:22
  • Thanks for your inputs. The question you linked provides steps for dealing with a compromised server. In my case, I don't think my server is compromised and I don't even use ZenCart. My sites are running fine, but the response time is a bit higher. My server may be under attack, but that does not mean I need to set it up again, as the new one may also become target of attackers immediately. I am more specifically looking for a solution to the stated problem i.e., what is creating phpxxxx.tmp files and how to prevent it. – Prashant Gupta Feb 05 '21 at 15:36
  • 3
    If your application isn't creating files that are considered part of malware, then it is some other entity that has compromised your server and is writing the files. Once a server is compromised like that, the only safe option is to restore from clean backups and then make sure the system is properly updated with all security updates. If something similar happens after that, you need to look into your application and its security. There is no way of cleaning up the system otherwise. – Tero Kilkanen Feb 05 '21 at 15:41

0 Answers0